2024-08-15

By Not Exists

CMMC L2

Cybersecurity is a top priority for the Department of Defense. The Defense Industrial Base (DIB) is the target of more frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters.

Controls:

Ensures that system maintenance activities are controlled, monitored, and performed securely to prevent unauthorized modifications or access during repairs.

Maintenance Personnel (MA.L2-3.7.6)

The Maintenance Personnel subcontrol MA.L2-3.7.6 within the Maintenance control of CMMC focuses on managing and controlling the activities of maintenance personnel to ensure the secure and effective maintenance of information systems. This subcontrol addresses the need for organizations to establish measures for selecting, authorizing, and monitoring individuals involved in maintenance tasks.
Nonlocal Maintenance (MA.L2-3.7.5[b])

The Nonlocal Maintenance subcontrol MA.L2-3.7.5[b] within the Maintenance control of CMMC focuses on ensuring the security of information systems during nonlocal maintenance activities. This subcontrol specifically addresses the need to manage and control the use of nonlocal maintenance sessions, emphasizing the importance of monitoring and securing remote access.
Nonlocal Maintenance (MA.L2-3.7.5[a])

The Nonlocal Maintenance subcontrol MA.L2-3.7.5[a] within the Maintenance control of CMMC focuses on enhancing the security of information systems by implementing specific measures to control and monitor nonlocal maintenance activities. This subcontrol addresses the unique challenges and risks associated with maintenance activities performed from remote locations.
Media Inspection (MA.L2-3.7.4)

The Media Inspection subcontrol MA.L2-3.7.4 within the Maintenance control of CMMC focuses on implementing processes and procedures for inspecting and verifying the physical and logical security of information system media. This subcontrol aims to ensure that media containing sensitive data is regularly examined to detect and mitigate any potential security vulnerabilities or unauthorized access.
Equipment Sanitization (MA.L2-3.7.3)

The Equipment Sanitization subcontrol MA.L2-3.7.3 within the Maintenance control of CMMC focuses on establishing processes and procedures for the proper and secure sanitization of information system equipment. This includes the removal of sensitive data from equipment that is no longer in use, ensuring that it is prepared for disposal, reuse, or reallocation without compromising the confidentiality of information.
System Maintenance Control (MA.L2-3.7.2[d])

The System Maintenance Control subcontrol MA.L2-3.7.2[d] within the Maintenance control of CMMC focuses on establishing controls to manage and supervise maintenance activities on information systems. Specifically, this subcontrol emphasizes the need for organizations to review and assess the impact of system maintenance activities, ensuring that they align with organizational policies and do not compromise the security or functionality of information systems.
System Maintenance Control (MA.L2-3.7.2[c])

The System Maintenance Control subcontrol MA.L2-3.7.2[c] within the Maintenance control of CMMC emphasizes the importance of organizations establishing controls to govern and supervise maintenance activities on information systems. This subcontrol specifically focuses on ensuring that maintenance activities are authorized, tracked, and aligned with organizational policies.
System Maintenance Control (MA.L2-3.7.2[b])

The System Maintenance Control subcontrol MA.L2-3.7.2[b] within the Maintenance control of CMMC emphasizes the importance of organizations establishing controls to govern and supervise maintenance activities on information systems. This subcontrol specifically focuses on documentation, ensuring that organizations maintain accurate records of system maintenance activities, changes, and configurations.
System Maintenance Control (MA.L2-3.7.2[a])

The System Maintenance Control subcontrol MA.L2-3.7.2[a] within the Maintenance control of CMMC emphasizes the need for organizations to establish controls governing the maintenance of information systems. This subcontrol specifically addresses the coordination, planning, and execution of system maintenance activities to ensure that they align with organizational policies, minimize disruptions, and maintain the security and functionality of information systems.
Perform Maintenance (MA.L2-3.7.1)

The Perform Maintenance subcontrol MA.L2-3.7.1 within the Maintenance control of CMMC focuses on establishing and executing procedures to ensure the ongoing effectiveness, security, and functionality of organizational information systems. This subcontrol encompasses regular maintenance activities, updates, and configurations to address vulnerabilities, enhance performance, and mitigate potential risks.

Establishes procedures to detect, report, and respond to security incidents, minimizing damage and ensuring timely recovery.

Incident Handling (IR.L2-3.6.1[a])

The Incident Handling subcontrol IR.L2-3.6.1[a] within the Incident Response control of CMMC emphasizes the importance of establishing procedures for reporting and documenting cybersecurity incidents. This subcontrol focuses on timely and accurate reporting to ensure a swift and effective response to incidents, contributing to the overall resilience of the organization's information systems.
Incident Handling (IR.L2-3.6.1[b])

The Incident Handling subcontrol IR.L2-3.6.1[b] within the Incident Response control of CMMC emphasizes the importance of analyzing and documenting incidents to support effective response and improve future incident handling capabilities. This subcontrol focuses on the collection and analysis of incident-related data to enhance the organization's understanding of cybersecurity threats.
Incident Handling (IR.L2-3.6.1[c])

The Incident Handling subcontrol IR.L2-3.6.1[c] within the Incident Response control of CMMC emphasizes the importance of communicating incident information to appropriate parties, both within and external to the organization. This subcontrol focuses on maintaining effective communication channels to facilitate coordinated incident response efforts and share relevant information with stakeholders.
Incident Handling (IR.L2-3.6.1[d])

The Incident Handling subcontrol IR.L2-3.6.1[d] within the Incident Response control of CMMC focuses on incorporating lessons learned from incident response activities into the organization's cybersecurity practices. This subcontrol emphasizes continuous improvement by analyzing incidents, identifying areas for enhancement, and updating incident response procedures accordingly.
Incident Handling (IR.L2-3.6.1[e])

The Incident Handling subcontrol IR.L2-3.6.1[e] within the Incident Response control of CMMC focuses on providing feedback to individuals and teams involved in incident response activities. This subcontrol emphasizes the importance of recognizing and acknowledging the efforts of incident response personnel, contributing to their professional development and fostering a culture of continuous improvement.
Incident Handling (IR.L2-3.6.1[f])

The Incident Handling subcontrol IR.L2-3.6.1[f] within the Incident Response control of CMMC focuses on coordinating with external organizations during incident response activities. This subcontrol emphasizes the importance of establishing relationships, communication channels, and collaborative processes with external entities to enhance incident response capabilities.
Incident Handling (IR.L2-3.6.1[g])

The Incident Handling subcontrol IR.L2-3.6.1[g] within the Incident Response control of CMMC emphasizes the importance of maintaining incident documentation and records. This subcontrol focuses on the systematic documentation of incident details, response actions, and outcomes to support post-incident analysis, compliance, and organizational learning.
Incident Reporting (IR.L2-3.6.2[a])

The Incident Reporting subcontrol IR.L2-3.6.2[a] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to appropriate internal entities. This subcontrol focuses on establishing clear procedures for internal incident reporting to ensure that relevant teams within the organization are informed promptly.
Incident Reporting (IR.L2-3.6.2[b])

The Incident Reporting subcontrol IR.L2-3.6.2[b] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to external entities, including the appropriate authorities, as required by regulations and agreements. This subcontrol focuses on establishing clear procedures for external incident reporting to facilitate compliance and coordination with law enforcement, regulatory bodies, and industry partners.
Incident Reporting (IR.L2-3.6.2[c])

The Incident Reporting subcontrol IR.L2-3.6.2[c] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to external entities for the purpose of sharing threat intelligence. This subcontrol focuses on establishing procedures for sharing relevant information with external organizations, fostering collaboration, and contributing to the collective defense against cyber threats.
Incident Reporting (IR.L2-3.6.2[d])

The Incident Reporting subcontrol IR.L2-3.6.2[d] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to the appropriate entities for legal and contractual purposes. This subcontrol focuses on establishing procedures for fulfilling legal and contractual obligations related to incident reporting, ensuring organizations meet regulatory requirements and maintain transparency with relevant stakeholders.
Incident Reporting (IR.L2-3.6.2[e])

The Incident Reporting subcontrol IR.L2-3.6.2[e] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to appropriate external entities for the purpose of contributing to collective defense efforts. This subcontrol focuses on establishing procedures for sharing relevant threat intelligence with external entities, fostering collaboration, and enhancing the overall cybersecurity posture.
Incident Reporting (IR.L2-3.6.2[f])

The Incident Reporting subcontrol IR.L2-3.6.2[f] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to appropriate external entities for the purpose of coordinating response activities. This subcontrol focuses on establishing procedures for sharing incident details with external entities to facilitate collaborative incident response efforts and enhance overall cybersecurity resilience.
Incident Response Testing (IR.L2-3.6.3)

The Incident Response Testing subcontrol IR.L2-3.6.3 within the Incident Response control of CMMC focuses on regularly testing and evaluating incident response capabilities to ensure the effectiveness of the organization's response procedures. This subcontrol emphasizes the importance of conducting simulated incident response exercises to identify areas for improvement, enhance preparedness, and strengthen the overall response posture.

Requires users to be uniquely identified and authenticated before accessing systems, ensuring accountability and preventing unauthorized access.

Identification (IA.L1-3.5.1[a])

Identification subcontrol IA.L1-3.5.1[a] within the Identification and Authentication control of CMMC focuses on the establishment and maintenance of unique user identifiers to ensure the accountability of individuals accessing organizational systems. This specific aspect highlights the need for distinct identifiers for non-human entities, such as devices, services, or system processes.
Identification (IA.L1-3.5.1[b])

Identification subcontrol IA.L1-3.5.1[b] within the Identification and Authentication control of CMMC focuses on the establishment and management of unique user identifiers for individuals accessing organizational systems. This specific aspect emphasizes the importance of identifiers for privileged users and administrators who have elevated access privileges within the organization.
Identification (IA.L1-3.5.1[c])

Identification subcontrol IA.L1-3.5.1[c] within the Identification and Authentication control of CMMC focuses on the establishment and maintenance of unique user identifiers specifically for external users accessing organizational systems. This aspect highlights the importance of precise identification for individuals who are not internal employees but require access to organizational resources.
Authentication (IA.L1-3.5.2[a])

Authentication subcontrol IA.L1-3.5.2[a] within the Identification and Authentication control of CMMC focuses on the implementation of Multi-Factor Authentication (MFA) for privileged users. This subcontrol specifically emphasizes the need to enhance the security of authentication processes for individuals with elevated access privileges, such as administrators and other privileged users.
Authentication (IA.L1-3.5.2[b])

Authentication subcontrol IA.L1-3.5.2[b] within the Identification and Authentication control of CMMC focuses on the secure and effective management of user authentication credentials. This subcontrol emphasizes the importance of enforcing strong password policies and ensuring that users create and maintain robust passwords to enhance the overall security of organizational systems.
Authentication (IA.L1-3.5.2[c])

Authentication subcontrol IA.L1-3.5.2[c] within the Identification and Authentication control of CMMC focuses on the secure implementation of biometric authentication methods. This subcontrol emphasizes the use of biometrics, such as fingerprint or facial recognition, as a means to enhance the reliability and strength of user authentication.
Multifactor Authentication (IA.L2-3.5.3[a])

The Multifactor Authentication (MFA) control (IA.L2-3.5.3[a]) requires organizations to implement MFA for access to sensitive systems and data. MFA adds an extra layer of security beyond just passwords, requiring users to present two or more independent authentication factors. These factors may include something the user knows (password), something the user has (smart card or token), or something the user is (biometric verification such as fingerprints).

Multifactor Authentication significantly reduces the risk of unauthorized access to systems and networks by ensuring that even if one authentication factor is compromised, the additional factors help safeguard access to critical resources, such as Controlled Unclassified Information (CUI).
Multifactor Authentication (IA.L2-3.5.3[b])

The Multifactor Authentication (MFA) subcontrol IA.L2-3.5.3[b] within the Identification and Authentication control of CMMC accentuates the importance of robust authentication practices. It mandates the utilization of at least two independent authentication factors during the user authentication process, significantly enhancing the security posture of organizational systems.
Multifactor Authentication (IA.L2-3.5.3[c])

The Multifactor Authentication (MFA) subcontrol IA.L2-3.5.3[c] within the Identification and Authentication control of CMMC reinforces the necessity of robust authentication measures. It mandates the implementation of at least two distinct and independent authentication factors during user authentication processes, adding a critical layer of security to protect against unauthorized access.
Multifactor Authentication (IA.L2-3.5.3[d])

The Multifactor Authentication (MFA) subcontrol IA.L2-3.5.3[d] within the Identification and Authentication control of CMMC emphasizes the importance of bolstering authentication practices. It mandates the implementation of at least two independent authentication factors during user authentication processes, adding an essential layer of security to protect against unauthorized access.
Replay-Resistant Authentication (IA.L2-3.5.4)

The Replay-Resistant Authentication (IA.L2-3.5.4) subcontrol within the Identification and Authentication control of CMMC focuses on mitigating the risks associated with replay attacks during the authentication process. It mandates the implementation of measures that prevent the unauthorized reuse of authentication data, reinforcing the overall security of user access.
Identifier Reuse (IA.L2-3.5.5[a])

The Identifier Reuse (IA.L2-3.5.5[a]) subcontrol within the Identification and Authentication control of CMMC specifically addresses the prevention of identifier reuse, focusing on the secure management of identifiers to enhance overall authentication security. It ensures that once an identifier (e.g., username, account name) is used, it is not recycled or reassigned to other users.
Identifier Reuse (IA.L2-3.5.5[b])

The Identifier Reuse (IA.L2-3.5.5[b]) subcontrol within the Identification and Authentication control of CMMC focuses on preventing the unintentional or unauthorized reuse of identifiers. It establishes measures to ensure that identifiers, such as usernames or account names, are not reintroduced for new users without adequate consideration for security implications.
Identifier Handling (IA.L2-3.5.6[a])

The Identifier Handling (IA.L2-3.5.6[a]) subcontrol within the Identification and Authentication control of CMMC specifically addresses the secure creation of identifiers. It focuses on establishing guidelines and practices to ensure that identifiers, such as usernames and account names, are generated in a manner that enhances resistance to unauthorized access and exploitation.
Identifier Handling (IA.L2-3.5.6[b])

The Identifier Handling (IA.L2-3.5.6[b]) subcontrol within the Identification and Authentication control of CMMC addresses the secure transmission of identifiers. It focuses on establishing guidelines and practices to ensure that identifiers, such as usernames and account names, are transmitted securely to prevent unauthorized interception and access.
Password Complexity (IA.L2-3.5.7[a])

Password Complexity (IA.L2-3.5.7[a]) is a specific aspect of the Identification and Authentication control within CMMC that focuses on enhancing the security of passwords used for authentication. This subcontrol emphasizes the establishment and enforcement of specific password complexity requirements to mitigate the risk of unauthorized access through the use of weak or easily guessable passwords.
Password Complexity (IA.L2-3.5.7[b])

Password Complexity (IA.L2-3.5.7[b]) is a subcontrol within the Identification and Authentication (IA) control of CMMC that specifically addresses the establishment and enforcement of password complexity requirements. This subcontrol aims to enhance the security of authentication by mitigating the risk of unauthorized access through the use of weak or easily guessable passwords.
Password Complexity (IA.L2-3.5.7[c])

Password Complexity (IA.L2-3.5.7[c]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, focusing on the establishment and enforcement of password complexity requirements. This subcontrol aims to enhance the security of authentication by reducing the risk of unauthorized access through the use of weak or easily guessable passwords.
Password Complexity (IA.L2-3.5.7[d])

Password Complexity (IA.L2-3.5.7[d]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, addressing the establishment and enforcement of password complexity requirements. This subcontrol focuses on enhancing authentication security by reducing the risk of unauthorized access through the implementation of stringent password complexity standards.
Password Reuse (IA.L2-3.5.8[a])

Password Reuse (IA.L2-3.5.8[a]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, focusing on mitigating the risk of unauthorized access through the prevention of password reuse. This subcontrol emphasizes the need for organizations to establish clear policies and technical controls that discourage or prohibit users from reusing passwords across different accounts or systems.
Password Reuse (IA.L2-3.5.8[b])

Password Reuse (IA.L2-3.5.8[b]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, emphasizing the need for organizations to implement technical controls that discourage or prevent users from reusing passwords across different accounts or systems. This subcontrol specifically focuses on the technical aspects of preventing password reuse.
Temporary Passwords (IA.L2-3.5.9)

Temporary Passwords (IA.L2-3.5.9) is a subcontrol within the Identification and Authentication (IA) control of CMMC, focusing on the secure management and usage of temporary passwords. This subcontrol is designed to ensure that temporary passwords are implemented securely to prevent unauthorized access and enhance overall authentication security.
Cryptographically-Protected Passwords (IA.L2-3.5.10[a])

Cryptographically-Protected Passwords (IA.L2-3.5.10[a]) is a refinement of the Cryptographically-Protected Passwords subcontrol within the Identification and Authentication (IA) control of CMMC. This subcontrol focuses on enhancing the protection of stored passwords through the use of industry-standard cryptographic measures.
Cryptographically-Protected Passwords (IA.L2-3.5.10[b])

Cryptographically-Protected Passwords (IA.L2-3.5.10[b]) is a refinement of the Cryptographically-Protected Passwords subcontrol within the Identification and Authentication (IA) control of CMMC. This subcontrol specifically emphasizes the importance of securely managing cryptographic keys used in password protection.
Obscure Feedback (IA.L2-3.5.11)

The Obscure Feedback control within Identification and Authentication (IA) in CMMCv2 aims to enhance security by obscuring or encrypting feedback provided to users during the authentication process. This helps prevent potential attackers from gathering information that could be used to compromise user accounts.

Evaluates system security controls through assessments and audits to ensure they function as intended and address organizational risk.

System Security Plan (CA.L2-3.12.4[h])

CA.L2-3.12.4[h] emphasizes the importance of maintaining an up-to-date and comprehensive System Security Plan (SSP) to reflect changes in the information system's security posture. This subcontrol focuses on ensuring that the SSP accurately represents the current state of security controls, policies, and procedures.
System Security Plan (CA.L2-3.12.4[g])

CA.L2-3.12.4[g] focuses on the development and maintenance of a System Security Plan (SSP) that provides a comprehensive overview of the security posture of an information system. The SSP serves as a crucial document outlining security controls, policies, and procedures implemented to safeguard sensitive information.
System Security Plan (CA.L2-3.12.4[f])

Control CA.L2-3.12.4[f] underscores the importance of a comprehensive and regularly updated System Security Plan (SSP) as an integral part of the Security Assessment process. The SSP serves as a foundational document, articulating an organization's security controls, policies, and procedures. This subcontrol specifically focuses on ensuring the alignment of the SSP with the organization's configuration management processes.
System Security Plan (CA.L2-3.12.4[e])

Control CA.L2-3.12.4[e] emphasizes the need for a comprehensive and regularly updated System Security Plan (SSP) as an integral component of the Security Assessment process. The SSP serves as a foundational document, articulating an organization's security controls, policies, and procedures. This subcontrol specifically focuses on ensuring the alignment of the SSP with the organization's incident response capabilities.
System Security Plan (CA.L2-3.12.4[d])

Control CA.L2-3.12.4[d] underscores the critical need for a comprehensive and regularly updated System Security Plan (SSP) as an integral part of the Security Assessment process. The SSP serves as a foundational document, articulating an organization's security controls, policies, and procedures. This subcontrol specifically emphasizes the importance of aligning the SSP with organizational risk management strategies.
System Security Plan (CA.L2-3.12.4[c])

Control CA.L2-3.12.4[c] underscores the importance of a comprehensive and regularly updated System Security Plan (SSP) within the Security Assessment process. The SSP serves as a foundational document, detailing an organization's security controls, policies, and procedures. This subcontrol emphasizes the ongoing relevance and accuracy of the SSP for effective security assessments and risk management.
System Security Plan (CA.L2-3.12.4[b])

Control CA.L2-3.12.4[b] highlights the importance of a thorough and regularly updated System Security Plan (SSP) as a critical component of the Security Assessment process. The SSP serves as a comprehensive document detailing an organization's security controls, policies, and procedures, providing a foundation for effective security assessments and risk management.
System Security Plan (CA.L2-3.12.4[a])

Control CA.L2-3.12.4[a] emphasizes the importance of a well-structured and regularly updated System Security Plan (SSP) as a foundational element in the Security Assessment process. The SSP serves as a comprehensive document detailing an organization's security controls, policies, and procedures, facilitating effective security assessment and risk management.
Security Control Monitoring (CA.L2-3.12.3)

Control CA.L2-3.12.3 focuses on the continuous monitoring of security controls to ensure their effectiveness and responsiveness to emerging threats. This subcontrol emphasizes real-time observation, analysis, and response to security events to enhance an organization's ability to detect, prevent, and mitigate potential security incidents.
Plan of Action (CA.L2-3.12.2[c])

Control CA.L2-3.12.2[c] focuses on the establishment and maintenance of a comprehensive Plan of Action (POA) specifically tailored for deficiencies identified during security assessments (SAs). This control ensures that organizations have a systematic approach to address and mitigate security weaknesses, thereby enhancing their overall cybersecurity resilience.
Plan of Action (CA.L2-3.12.2[b])

Control CA.L2-3.12.2[b] emphasizes the need for organizations to establish and maintain a comprehensive Plan of Action (POA) specifically for deficiencies identified during security assessments (SAs). This control ensures that organizations systematically address and mitigate security weaknesses to enhance their overall cybersecurity posture.
Plan of Action (CA.L2-3.12.2[a])

This control focuses on the establishment and maintenance of a Plan of Action (POA) for identified security vulnerabilities and deficiencies discovered during security assessments (SAs). The objective is to ensure that organizations systematically address and mitigate identified weaknesses, enhancing overall security posture.
Security Control Assessment (CA.L2-3.12.1[b])

Security Control Assessment - Continuous Monitoring (CA.L2-3.12.1[b]) is a subcontrol within the Security Assessment (CA) domain of CMMCv2. This control focuses on establishing continuous monitoring practices to regularly assess the effectiveness of security controls and detect changes in the security posture of an organization.
Security Control Assessment (CA.L2-3.12.1[a])

This subcontrol focuses on conducting a thorough Security Control Assessment (SCA) to ensure the effectiveness of implemented security controls and their alignment with organizational requirements. Specifically, CA.L2-3.12.1[a] addresses the assessment of security controls related to the management of cryptographic keys.

Implements personnel screening, role-based access, and termination procedures to ensure trusted individuals have access to sensitive information.

Screen Individuals (PS.L2-3.9.1)

Control PS.L2-3.9.1 emphasizes the importance of screening individuals before granting them access to sensitive information or facilities. This subcontrol ensures that organizations implement a comprehensive screening process to assess the trustworthiness and suitability of individuals for specific roles.
Personnel Actions (PS.L2-3.9.2[a])

Control PS.L2-3.9.2[a] specifies the need to incorporate security considerations into the hiring process within the broader personnel action lifecycle. It emphasizes establishing and maintaining secure procedures for hiring personnel, ensuring that security measures are integrated from the initial stages of employment.
Personnel Actions (PS.L2-3.9.2[b])

Control PS.L2-3.9.2[b] emphasizes the need for organizations to integrate security considerations into the transfer process within the personnel action lifecycle. This subcontrol aims to establish and maintain secure procedures for personnel transfers, ensuring that security measures accompany employees moving within the organization.
Personnel Actions (PS.L2-3.9.2[c])

Control PS.L2-3.9.2[c] underscores the significance of incorporating security considerations into the promotion process within the personnel action lifecycle. This subcontrol aims to establish and maintain secure procedures for personnel promotions, ensuring that security measures accompany employees advancing within the organization.

Protects digital and physical media by enforcing secure handling, storage, and disposal practices to prevent unauthorized access to sensitive data

Protect Backups (MP.L2-3.8.9)

The Protect Backups subcontrol MP.L2-3.8.9 within the Media Protection control of CMMC addresses the secure handling and protection of backups containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol emphasizes the importance of implementing measures to safeguard backup copies, ensuring their integrity, availability, and protection against unauthorized access.
Media Protection (MP.L2-3.8.1[a])

Control MP.L2-3.8.1[a] emphasizes the secure handling and protection of physical media that contains Controlled Unclassified Information (CUI). This subcontrol is designed to prevent unauthorized access, theft, or tampering with physical storage mediums, such as paper documents, external drives, and other tangible forms of information storage.
Media Protection (MP.L2-3.8.1[b])

The Media Protection control within CMMC focuses on safeguarding and managing media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Subcontrol MP.L2-3.8.1[b] specifically addresses the sanitization or destruction of media to prevent unauthorized access to sensitive information.
Media Protection (MP.L2-3.8.1[c])

The Media Protection control within CMMC is designed to secure and manage media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Subcontrol MP.L2-3.8.1[c] specifically addresses the establishment and maintenance of access controls for media, ensuring that only authorized individuals have the ability to access sensitive information.
Media Protection (MP.L2-3.8.1[d])

The Media Protection control within CMMC focuses on safeguarding and managing media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Subcontrol MP.L2-3.8.1[d] specifically addresses the protection of media during transport, ensuring that adequate measures are in place to prevent unauthorized access, interception, or tampering during transit.
Media Access (MP.L2-3.8.2)

The Media Access subcontrol within the Media Protection control of CMMC focuses on controlling access to media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). MP.L2-3.8.2 aims to ensure that only authorized individuals can access and interact with media to prevent unauthorized disclosure, modification, or destruction of sensitive information.
Media Disposal (MP.L1-3.8.3[a])

The Media Disposal subcontrol MP.L1-3.8.3[a] within the Media Protection control of CMMC specifically addresses the secure disposal of physical media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It focuses on establishing procedures for the secure and irreversible destruction of physical media to prevent unauthorized access to sensitive information.
Media Disposal (MP.L1-3.8.3[b])

The Media Disposal subcontrol MP.L1-3.8.3[b] within the Media Protection control of CMMC focuses on the secure disposal of digital media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It emphasizes the need for organizations to establish and implement procedures to ensure the secure and irreversible erasure or destruction of digital media, preventing unauthorized access to sensitive information.
Media Markings (MP.L2-3.8.4[a])

The Media Markings subcontrol MP.L2-3.8.4[a] within the Media Protection control of CMMC focuses on implementing specific markings on media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to indicate its sensitivity level. This subcontrol emphasizes the importance of consistent and standardized markings to communicate the security requirements associated with the information on both physical and digital media.
Media Markings (MP.L2-3.8.4[b])

The Media Markings subcontrol MP.L2-3.8.4[b] within the Media Protection control of CMMC focuses on implementing markings on media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to convey its sensitivity level and the handling requirements. This subcontrol emphasizes the need for organizations to provide specific markings that address the unique characteristics and risks associated with the information on both physical and digital media.
Media Accountability (MP.L2-3.8.5[a])

The Media Accountability subcontrol MP.L2-3.8.5[a] within the Media Protection control of CMMC emphasizes the establishment of specific tracking mechanisms to ensure accountability for media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol focuses on implementing processes that track the creation, distribution, access, and disposal of sensitive information on both physical and digital media.
Media Accountability (MP.L2-3.8.5[b])

The Media Accountability subcontrol MP.L2-3.8.5[b] within the Media Protection control of CMMC focuses on enhancing accountability mechanisms by specifically addressing the tracking of actions related to media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol emphasizes the need for organizations to implement detailed tracking processes that cover the entire lifecycle of sensitive information on both physical and digital media.
Portable Storage Encryption (MP.L2-3.8.6)

The Portable Storage Encryption subcontrol MP.L2-3.8.6 within the Media Protection control of CMMC focuses on securing sensitive information stored on portable storage devices, such as USB drives and external hard drives, through the implementation of encryption. This subcontrol aims to prevent unauthorized access to Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in the event of loss or theft of portable storage media.
Removable Media (MP.L2-3.8.7)

The Removable Media subcontrol MP.L2-3.8.7 within the Media Protection control of CMMC addresses the secure usage of removable media devices, such as USB drives and external hard drives, to prevent unauthorized access and protect Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol aims to establish measures that mitigate risks associated with the use of removable media, including data loss, theft, or introduction of malicious software.
Shared Media (MP.L2-3.8.8)

The Shared Media subcontrol MP.L2-3.8.8 within the Media Protection control of CMMC addresses the secure handling and protection of shared media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol emphasizes the importance of implementing measures to control and monitor the use of media that is accessible by multiple individuals or systems to prevent unauthorized access and protect sensitive information.

Identify Unauthorized Use (SI.L2-3.14.7[a])

The "Identify Unauthorized Use" subcontrol, designated as SI.L2-3.14.7[a], focuses on implementing measures to promptly detect and prevent unauthorized access or use of information systems. This subcontrol aims to enhance the organization's ability to identify and respond to unauthorized activities, thereby preserving the integrity and confidentiality of sensitive information.
Identify Unauthorized Use (SI.L2-3.14.7[b])

The "Identify Unauthorized Use" subcontrol, specified as SI.L2-3.14.7[b], is designed to establish measures that promptly detect and prevent unauthorized access or use of information systems. This subcontrol enhances the organization's ability to identify and respond to unauthorized activities, contributing to the overall security posture by preserving the integrity and confidentiality of sensitive information.
Flaw Remediation (SI.L1-3.14.1[a])

The Flaw Remediation (SI.L1-3.14.1[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 is a specific aspect focusing on addressing and remediating vulnerabilities or flaws in software and hardware components. This subcontrol emphasizes a targeted and risk-based approach to flaw remediation.
Flaw Remediation (SI.L1-3.14.1[b])

The Flaw Remediation (SI.L1-3.14.1[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 is a specific aspect focusing on enhancing the effectiveness of flaw remediation efforts through the establishment of proactive measures and feedback mechanisms.
Flaw Remediation (SI.L1-3.14.1[c])

The Flaw Remediation (SI.L1-3.14.1[c]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 is a specific aspect focusing on documenting and communicating lessons learned from flaw remediation efforts. It emphasizes the importance of institutionalizing knowledge to improve future responses to vulnerabilities.
Flaw Remediation (SI.L1-3.14.1[d])

The Flaw Remediation (SI.L1-3.14.1[d]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on assessing the effectiveness of flaw remediation activities and ensuring that corrective actions lead to sustained improvements in the organization's cybersecurity posture.
Flaw Remediation (SI.L1-3.14.1[e])

The Flaw Remediation (SI.L1-3.14.1[e]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on ensuring the documentation and communication of effective remediation practices and lessons learned throughout the organization.
Monitor Communications for Attacks (SI.L2-3.14.6[b])

The Monitor Communications for Attacks (SI.L2-3.14.6[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on expanding monitoring capabilities to detect and respond to cyber attacks against an organization's communication channels, with a specific emphasis on identifying and mitigating insider threats.
Monitor Communications for Attacks (SI.L2-3.14.6[c])

The Monitor Communications for Attacks (SI.L2-3.14.6[c]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on advancing monitoring capabilities to detect and respond to cyber attacks against an organization's communication channels, with a specific emphasis on identifying and mitigating malware-related threats.
Monitor Communications for Attacks (SI.L2-3.14.6[a])

The Monitor Communications for Attacks (SI.L2-3.14.6[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on the enhancement of monitoring procedures with a specific emphasis on detecting and responding to sophisticated and targeted cyber attacks against an organization's communication channels
System & File Scanning (SI.L1-3.14.5[c])

The System & File Scanning (SI.L1-3.14.5[c]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on implementing procedures for the routine scanning and analysis of systems and files to identify and address potential security risks, with a specific emphasis on vulnerabilities.
System & File Scanning (SI.L1-3.14.5[a])

The System & File Scanning (SI.L1-3.14.5[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 specifically addresses the need for organizations to establish procedures for scanning and analyzing systems and files to identify and mitigate potential security risks. This subcontrol emphasizes the importance of regularly updating scanning tools and technologies to stay resilient against evolving threats.
System & File Scanning (SI.L1-3.14.5[b])

The System & File Scanning (SI.L1-3.14.5[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing procedures for the routine scanning and analysis of systems and files with an emphasis on identifying and mitigating potential security risks related to unauthorized changes.
Update Malicious Code Protection (SI.L1-3.14.4)

The Update Malicious Code Protection (SI.L1-3.14.4) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on ensuring that organizations regularly update and maintain their malicious code protection mechanisms to defend against the latest known threats.
Security Alerts & Advisories (SI.L2-3.14.3[b])

The Security Alerts & Advisories (SI.L2-3.14.3[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on ensuring that organizations have processes in place to assess the potential impact of security alerts and advisories on their specific information systems and take appropriate response actions.
Security Alerts & Advisories (SI.L2-3.14.3[c])

The Security Alerts & Advisories (SI.L2-3.14.3[c]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing mechanisms for continuous monitoring and evaluation of the effectiveness of the organization's response to security alerts and advisories.
Flaw Remediation (SI.L1-3.14.1[f])

The Flaw Remediation (SI.L1-3.14.1[f]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on incorporating automated mechanisms to improve the efficiency and effectiveness of flaw identification, analysis, and remediation.
Malicious Code Protection (SI.L1-3.14.2[a])

The Malicious Code Protection (SI.L1-3.14.2[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on deploying and maintaining antivirus software to detect and remove known malicious code from the organization's information systems.
Malicious Code Protection (SI.L1-3.14.2[b])

The Malicious Code Protection (SI.L1-3.14.2[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on implementing additional protective measures beyond traditional antivirus solutions to detect and prevent more sophisticated forms of malicious code.
Security Alerts & Advisories (SI.L2-3.14.3[a])

The Security Alerts & Advisories (SI.L2-3.14.3[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing processes to receive, assess, and respond to security alerts and advisories that are specific to the organization's industry and operational environment.

Secures physical access to systems and data centers, limiting unauthorized entry and preventing tampering with infrastructure.

Alternative Work Sites (PE.L2-3.10.6[b])

Control PE.L2-3.10.6[b] emphasizes the implementation of secure access mechanisms for employees working from alternative sites. This subcontrol ensures that organizations establish and document measures to guarantee secure remote access, protecting both physical and informational assets.
Alternative Work Sites (PE.L2-3.10.6[a])

Control PE.L2-3.10.6[a] emphasizes the need for organizations to establish and document specific security requirements for employees working from alternative sites. This subcontrol ensures that security considerations extend to remote work environments, protecting both physical and informational assets.
Manage Physical Access (PE.L1-3.10.5[c])

Control PE.L1-3.10.5[c] addresses the importance of maintaining an Access Control List (ACL) to manage physical access. This subcontrol ensures that organizations establish and maintain a comprehensive list of individuals and roles with authorized access to controlled areas.
Manage Physical Access (PE.L1-3.10.5[b])

Control PE.L1-3.10.5[b] focuses on the need for organizations to implement access approval procedures, defining a structured process for obtaining and granting approvals for physical access. This subcontrol ensures a controlled and consistent approach to managing access privileges.
Manage Physical Access (PE.L1-3.10.5[a])

Control PE.L1-3.10.5[a] specifically addresses the need for organizations to establish and implement access control policies that govern physical access to facilities. This subcontrol emphasizes the importance of defining principles and criteria for granting and managing access privileges.
Physical Access Logs (PE.L1-3.10.4)

Control PE.L1-3.10.4 emphasizes the importance of maintaining accurate and detailed physical access logs for controlled areas. This subcontrol focuses on the documentation of individuals accessing sensitive locations, enabling organizations to monitor and review physical access activities.
Escort Visitors (PE.L1-3.10.3[b])

Control PE.L1-3.10.3[b] emphasizes the importance of implementing escort protocols for visitors within controlled areas, specifically addressing the need for personnel to escort visitors without a valid Visitor Authorization Credential.
Escort Visitors (PE.L1-3.10.3[a])

Control PE.L1-3.10.3[a] emphasizes the need for organizations to implement escort protocols for visitors within controlled areas, specifically addressing the need for personnel to escort visitors possessing a Visitor Authorization Credential.
Monitor Facility (PE.L2-3.10.2[d])

Control PE.L2-3.10.2[d] emphasizes the importance of leveraging advanced technologies for facility monitoring. This subcontrol specifically addresses the deployment of cutting-edge technologies, such as video analytics and intrusion detection systems, to enhance the surveillance capabilities of physical facilities.
Monitor Facility (PE.L2-3.10.2[c])

Control PE.L2-3.10.2[c] emphasizes the need for organizations to implement a comprehensive monitoring program for their physical facilities. This subcontrol specifically addresses the coordination and collaboration between internal security personnel and external entities for enhanced facility surveillance.
Monitor Facility (PE.L2-3.10.2[b])

Control PE.L2-3.10.2[b] underscores the importance of monitoring physical facilities through human-driven processes. This subcontrol focuses on the deployment of personnel for continuous surveillance to enhance the security posture of facilities.
Monitor Facility (PE.L2-3.10.2[a])

Control PE.L2-3.10.2[a] emphasizes the need for organizations to monitor their facilities using automated tools and technologies. This subcontrol specifically addresses the implementation of automated monitoring solutions to enhance the surveillance capabilities of physical facilities.
Limit Physical Access (PE.L1-3.10.1[d])

Control PE.L1-3.10.1[d] underscores the importance of limiting physical access to facilities during emergency situations. This subcontrol ensures that organizations have specific measures and protocols in place to restrict access to critical areas under emergency conditions, thereby safeguarding personnel and sensitive assets.
Limit Physical Access (PE.L1-3.10.1[c])

Control PE.L1-3.10.1[c] emphasizes the need to limit physical access to facilities based on specific operational requirements and conditions. This subcontrol ensures that access controls are adjusted and enforced according to the organization's unique operational scenarios, further enhancing the overall physical security posture.
Limit Physical Access (PE.L1-3.10.1[a])

Control PE.L1-3.10.1[a] focuses on establishing and enforcing access control measures to limit physical access to facilities during non-operational hours. This subcontrol aims to prevent unauthorized entry outside normal working hours, thereby enhancing the overall physical security posture of the organization.
Limit Physical Access (PE.L1-3.10.1[b])

Control PE.L1-3.10.1[b] emphasizes the importance of implementing access control measures to limit physical access to facilities based on individuals' roles and responsibilities. This subcontrol ensures that only authorized personnel with specific job functions have access to areas relevant to their duties, enhancing the overall physical security posture of the organization.

Identifies and evaluates potential risks to information systems, ensuring that controls are aligned with the level of risk to critical assets.

Vulnerability Scan (RA.L2-3.11.2[a])

Control RA.L2-3.11.2[a] specifically focuses on the requirement for organizations to conduct vulnerability scans using approved tools and methodologies. These scans aim to identify and assess vulnerabilities within the organization's information systems, contributing to a proactive risk assessment and mitigation strategy.
Risk Assessments (RA.L2-3.11.1[b])

Control RA.L2-3.11.1[b] emphasizes the need for organizations to conduct periodic and comprehensive risk assessments. The objective is to systematically identify, evaluate, and prioritize risks to the organization's information systems and sensitive data. This subcontrol ensures a proactive and ongoing approach to risk management.
Risk Assessments (RA.L2-3.11.1[a])

Control RA.L2-3.11.1[a] emphasizes the importance of conducting specific risk assessments to identify, evaluate, and prioritize risks to the organization's information systems and sensitive data. This subcontrol ensures a focused and targeted approach to risk management tailored to the organization's unique context and requirements.
Vulnerability Remediation (RA.L2-3.11.3[b])

Control RA.L2-3.11.3[b] emphasizes the need for organizations to establish and implement manual remediation processes for identified vulnerabilities. This subcontrol ensures that organizations have a structured and effective approach to addressing vulnerabilities that may require manual intervention, complementing automated remediation efforts.
Vulnerability Scan (RA.L2-3.11.2[b])

Control RA.L2-3.11.2[b] focuses on the need for organizations to conduct vulnerability scans specifically on components within the supply chain. This subcontrol ensures that organizations extend their vulnerability management practices to assess and mitigate risks associated with third-party vendors and suppliers.
Vulnerability Scan (RA.L2-3.11.2[c])

Control RA.L2-3.11.2[c] emphasizes the importance of conducting vulnerability scans specifically on external-facing systems. This subcontrol ensures organizations proactively identify and mitigate vulnerabilities that may be exploited from the external environment, safeguarding against potential cyber threats.
Vulnerability Scan (RA.L2-3.11.2[d])

Control RA.L2-3.11.2[d] focuses on the importance of conducting vulnerability scans on mobile devices. This subcontrol ensures organizations proactively identify and mitigate vulnerabilities specific to mobile devices, protecting against potential threats in the mobile environment.
Vulnerability Scan (RA.L2-3.11.2[e])

Control RA.L2-3.11.2[e] focuses on the necessity of conducting vulnerability scans on databases. This subcontrol ensures organizations proactively identify and mitigate vulnerabilities specific to databases, safeguarding against potential threats targeting critical data repositories.
Vulnerability Remediation (RA.L2-3.11.3[a])

Control RA.L2-3.11.3[a] focuses on the need for organizations to establish and implement automated mechanisms for the remediation of identified vulnerabilities. This subcontrol ensures a proactive and efficient approach to addressing vulnerabilities through automated processes, reducing manual intervention and accelerating response times.

Ensures secure system boundaries and communication channels by implementing protections like encryption, traffic filtering, and isolation to safeguard data in transit.

Communications Authenticity (SC.L2-3.13.15)

Communications Authenticity (SC.L2-3.13.15) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control is designed to ensure the authenticity of communications, verifying the integrity of data exchanged over communication channels.
Data at Rest (SC.L2-3.13.16)

Data at Rest (SC.L2-3.13.16) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on protecting data stored in systems and databases when it is not actively being used or transferred. It aims to prevent unauthorized access or disclosure of sensitive information.
Voice over Internet Protocol (SC.L2-3.13.14[a])

Voice over Internet Protocol (VoIP) Encryption (SC.L2-3.13.14[a]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control specifically addresses the need for encrypting VoIP communications to protect the confidentiality and integrity of voice data transmitted over IP networks.
Voice over Internet Protocol (SC.L2-3.13.14[b])

Voice over Internet Protocol (VoIP) Access Controls (SC.L2-3.13.14[b]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on implementing access controls for VoIP systems to prevent unauthorized access and ensure the integrity of voice communications.
Mobile Code (SC.L2-3.13.13[b])

Mobile Code (SC.L2-3.13.13[b]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on managing and securing the risks associated with the deployment and execution of mobile code on information systems.
Mobile Code (SC.L2-3.13.13[a])

Mobile Code (SC.L2-3.13.13[a]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on the secure development and deployment of mobile code, addressing the risks associated with externally received or executed code on information systems.
Collaborative Device Control (SC.L2-3.13.12[c])

Collaborative Device Control (SC.L2-3.13.12[c]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This subcontrol focuses on monitoring and auditing the usage of collaborative devices to ensure the confidentiality, integrity, and availability of sensitive information within collaborative environments.
Collaborative Device Control (SC.L2-3.13.12[b])

Collaborative Device Control (SC.L2-3.13.12[b]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This subcontrol addresses the secure configuration and management of collaborative devices to ensure the confidentiality, integrity, and availability of sensitive information within collaborative environments.
Collaborative Device Control (SC.L2-3.13.12[a])

Collaborative Device Control (SC.L2-3.13.12[a]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. It specifically addresses the secure management and usage of collaborative devices to ensure the confidentiality, integrity, and availability of sensitive information in collaborative environments.
CUI Encryption (SC.L2-3.13.11)

CUI Encryption (SC.L2-3.13.11) is a subcontrol within the System and Communications Protection domain of the CMMCv2 framework. It specifically focuses on the protection of Controlled Unclassified Information (CUI) through encryption. The subcontrol aims to safeguard sensitive information from unauthorized access and disclosure by ensuring that CUI is encrypted when stored, processed, or transmitted.
Key Management (SC.L2-3.13.10[b])

Distribution Controls (SC.L2-3.13.10(b)) is a specific subcontrol under the broader Key Management control in the CMMCv2 framework. This subcontrol focuses on implementing secure controls for the distribution of cryptographic keys. The secure distribution of keys is crucial to ensure that they reach authorized entities without interception or tampering, thereby maintaining the confidentiality and integrity of communication.
Key Management (SC.L2-3.13.10[a])

Key Generation Procedures (SC.L2-3.13.10(a)) is a specific subcontrol under the broader Key Management control in the CMMCv2 framework. It focuses on defining and implementing secure procedures for generating cryptographic keys. The effectiveness of cryptographic systems heavily relies on the randomness and unpredictability of key generation, making this subcontrol critical for ensuring the confidentiality and integrity of sensitive information.
Connections Termination (SC.L2-3.13.9[c])

Monitoring and Logging of Connections Termination (SC.L2-3.13.9(c)) is a subcontrol that emphasizes the importance of implementing robust monitoring and logging mechanisms for tracking the termination of network connections. This subcontrol recognizes the value of detailed logs and monitoring data in detecting and responding to anomalous activities, potential security incidents, or unauthorized terminations.
Connections Termination (SC.L2-3.13.9[b])

Automated Connections Termination (SC.L2-3.13.9(b)) is a subcontrol that focuses on the secure termination of network connections through automated processes. This subcontrol recognizes the significance of implementing controls and mechanisms to automatically terminate connections in a controlled and secure manner, minimizing the risk of unauthorized access or data exposure.
Connections Termination (SC.L2-3.13.9[a])

User-Initiated Connections Termination (SC.L2-3.13.9(a)) is a subcontrol that emphasizes secure procedures for terminating network connections initiated by users. This subcontrol recognizes the importance of providing users with the knowledge and tools to terminate connections in a controlled and secure manner.
Data in Transit (SC.L2-3.13.8[c])

Data in Transit Monitoring (SC.L2-3.13.8(c)) is a subcontrol that focuses on actively monitoring the transmission of data across networks. This subcontrol emphasizes the importance of real-time monitoring to detect and respond to anomalous activities, potential security incidents, or unauthorized access during data transmission.
Data in Transit (SC.L2-3.13.8[b])

Data in Transit Segmentation (SC.L2-3.13.8(b)) is a subcontrol that focuses on enhancing the security of data during its transmission across networks. This subcontrol emphasizes the importance of segmenting or isolating sensitive data flows to minimize exposure and potential risks associated with unauthorized access or interception.
Data in Transit (SC.L2-3.13.8[a])

Data in Transit Encryption (SC.L2-3.13.8(a)) is a subcontrol that specifically addresses the protection of sensitive data as it traverses networks. This subcontrol focuses on implementing encryption mechanisms to ensure the confidentiality and integrity of data during its transmission between systems, devices, or endpoints.
Split Tunneling (SC.L2-3.13.7)

Split Tunneling (SC.L2-3.13.7) is a control that addresses the secure configuration of network connections, particularly focusing on scenarios where a user's internet traffic is divided ("split") between the organization's secure network and an external network, such as the internet. The control aims to mitigate potential security risks associated with split tunneling configurations.
Network Communication by Exception (SC.L2-3.13.6[b])

Network Communication by Exception (SC.L2-3.13.6(b)) is an advanced control within the CMMCv2 framework, building on the principles of controlling network communications based on business needs. This subcontrol emphasizes the need for a more granular approach to exception management, allowing organizations to define specific criteria for exceptions beyond basic business functions.
Network Communication by Exception (SC.L2-3.13.6[a])

Network Communication by Exception (SC.L2-3.13.6(a)) builds on the broader control by emphasizing the need for well-defined exceptions when allowing network communications. This control requires organizations to implement a default-deny rule for network communications and only permit exceptions based on specific business functions and mission-critical processes.
Public-Access System Separation (SC.L1-3.13.5[b])

Public-Access System Separation (SC.L1-3.13.5(b)) is a control aimed at ensuring the secure separation of systems accessible to the public from internal networks. This control focuses on preventing unauthorized access to sensitive information by implementing measures such as network segmentation, access controls, and monitoring mechanisms specific to public-facing systems.
Public-Access System Separation (SC.L1-3.13.5[a])

Public-Access System Separation (SC.L1-3.13.5(a)) addresses the specific requirement to ensure a clear separation between systems accessible to the public and internal networks. This control emphasizes the importance of implementing measures to prevent unauthorized access to internal resources through public-facing systems, thereby protecting sensitive information from compromise.
Shared Resource Control (SC.L2-3.13.4)

Shared Resource Control is a critical aspect of securing information systems, ensuring that resources accessed and utilized by multiple users or processes are protected against unauthorized access and potential security breaches. This control aims to establish and enforce measures that govern the use and sharing of resources, preventing compromise and ensuring the confidentiality, integrity, and availability of sensitive information.
Role Separation (SC.L2-3.13.3[c])

The Role Separation subcontrol (SC.L2-3.13.3[c]) within the System and Communications Protection (SC) domain of CMMC Version 2 emphasizes the importance of maintaining clear segregation of duties to prevent unauthorized access and ensure accountability. This subcontrol focuses on establishing and enforcing roles within the organization to reduce the risk of conflicts of interest and enhance overall cybersecurity.
Role Separation (SC.L2-3.13.3[b])

The Role Separation subcontrol (SC.L2-3.13.3[b]) within the System and Communications Protection (SC) domain of CMMC Version 2 emphasizes the need to enforce segregation of duties to reduce the risk of unauthorized access and potential conflicts of interest. This subcontrol aims to enhance cybersecurity by ensuring that critical tasks require the involvement of multiple individuals, preventing a single point of failure.
Role Separation (SC.L2-3.13.3[a])

The Role Separation subcontrol (SC.L2-3.13.3[a]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on implementing role-based access controls to ensure that individuals have access only to the information and system functions necessary for their specific job roles. This subcontrol aims to prevent unauthorized access, reduce the risk of conflicts of interest, and enhance overall cybersecurity posture.
Security Engineering (SC.L2-3.13.2[f])

The Security Engineering subcontrol (SC.L2-3.13.2[f]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on implementing security measures to ensure the integrity and trustworthiness of information systems. This subcontrol emphasizes the importance of secure configurations and the verification of the integrity of system components.
Security Engineering (SC.L2-3.13.2[e])

The Security Engineering subcontrol (SC.L2-3.13.2[e]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on incorporating resilience and survivability measures into the organization's information systems. This subcontrol emphasizes the need to design systems that can withstand and recover from sophisticated cyber threats and disruptions.
Security Engineering (SC.L2-3.13.2[d])

The Security Engineering subcontrol (SC.L2-3.13.2[d]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on implementing security measures that are tailored to the organization's specific threats and vulnerabilities. This subcontrol emphasizes the customization of security controls and practices to address the unique risks faced by the organization.
Security Engineering (SC.L2-3.13.2[c])

The Security Engineering subcontrol (SC.L2-3.13.2[c]) within the System and Communications Protection (SC) domain of CMMC Version 2 emphasizes the need to establish and maintain a secure engineering process. Specifically, this subcontrol focuses on the integration of security measures into the development and implementation of information systems, with an emphasis on resilience against sophisticated cyber threats.
Security Engineering (SC.L2-3.13.2[b])

The Security Engineering subcontrol (SC.L2-3.13.2[b]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on ensuring that security measures are effectively integrated into the development and implementation of information systems. Specifically, this subcontrol emphasizes the importance of conducting secure coding practices and implementing security controls to mitigate vulnerabilities in the developed software.
Security Engineering (SC.L2-3.13.2[a])

The Security Engineering subcontrol (SC.L2-3.13.2[a]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on incorporating security considerations into the system engineering processes. Specifically, this subcontrol emphasizes the importance of conducting a threat analysis and implementing security controls during the system design and development phases to ensure a proactive and robust security posture.
Boundary Protection (SC.L1-3.13.1[h])

The Boundary Protection subcontrol (SC.L1-3.13.1[h]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on establishing and enforcing physical and logical access restrictions to protect sensitive information within organizational boundaries. This subcontrol emphasizes the need for organizations to implement measures that prevent unauthorized physical access and tampering with system boundaries.
Boundary Protection (SC.L1-3.13.1[g])

The Boundary Protection subcontrol (SC.L1-3.13.1[g]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on establishing and enforcing physical and logical access restrictions to protect sensitive information within organizational boundaries. This subcontrol is designed to prevent unauthorized access and data exfiltration at the network boundaries.
Boundary Protection (SC.L1-3.13.1[f])

The SC.L1-3.13.1(f) subcontrol within the System and Communications Protection (SC) domain highlights the importance of implementing measures to monitor and control the use of mobile devices and removable media at organizational boundaries. This includes safeguards to prevent unauthorized connections and data transfers through these devices, ensuring the security of information systems.
Boundary Protection (SC.L1-3.13.1[e])

The SC.L1-3.13.1(e) subcontrol within the System and Communications Protection (SC) domain emphasizes the necessity of implementing measures to ensure the integrity of data entering and exiting organizational boundaries. This involves implementing safeguards to prevent unauthorized modification, corruption, or introduction of malicious content during data transfers.
Boundary Protection (SC.L1-3.13.1[d])

The SC.L1-3.13.1(d) subcontrol within the System and Communications Protection (SC) domain addresses the importance of implementing measures to control the flow of information at organizational boundaries. Specifically, it focuses on ensuring that only authorized data transfers occur, preventing unauthorized exfiltration and ensuring the integrity and confidentiality of sensitive information.
Boundary Protection (SC.L1-3.13.1[c])

The SC.L1-3.13.1(c) subcontrol within the System and Communications Protection (SC) domain underscores the importance of implementing measures to detect and prevent the introduction of unauthorized software at organizational boundaries. This includes vigilant monitoring, control mechanisms, and security protocols to safeguard against the introduction of malicious code or unauthorized applications.
Boundary Protection (SC.L1-3.13.1[b])

The SC.L1-3.13.1[b] subcontrol within System and Communications Protection (SC) centers on the necessity of implementing robust boundary protection measures by focusing on the detection and prevention of unauthorized physical connections at organizational boundaries. This ensures that only authorized connections are established, reducing the risk of unauthorized access and potential compromise.
Boundary Protection (SC.L1-3.13.1[a])

The Boundary Protection control (SC.L1-3.13.1[a]) requires organizations to monitor, control, and protect the external boundaries of their information systems through security mechanisms. The control focuses on ensuring that unauthorized users are restricted from accessing sensitive information and resources within the organization by implementing robust boundary protection measures, such as firewalls, gateways, and network segmentation.

Boundary protection mechanisms should be designed to prevent unauthorized information flow between systems of different security levels and classifications, ensuring both internal and external communication remains secure.

Manages system configurations to maintain security, ensuring that unauthorized changes to hardware, software, or settings are controlled.

Least Functionality (CM.L2-3.4.6[b])

The Least Functionality (Non-essential Functions) subcontrol within Configuration Management (CM) in CMMCv2 focuses on limiting access to non-essential functions and features within information systems. By identifying and restricting unnecessary capabilities, organizations can reduce the attack surface, minimize potential vulnerabilities, and enhance the overall security of configuration items during the change process.
Nonessential Functionality (CM.L2-3.4.7[a])

The Nonessential Functionality (Access Controls for Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the need to implement access controls specifically for nonessential functionalities within information systems. This control ensures that only authorized personnel have access to nonessential functions during the configuration management process, reducing the risk of security incidents.
Nonessential Functionality (CM.L2-3.4.7[b])

The Nonessential Functionality control (CM.L2-3.4.7[b]) requires organizations to ensure that any nonessential functionalities—such as default accounts, applications, ports, protocols, or services—are disabled or removed from systems. Nonessential functionalities refer to components that are not necessary for the intended use of the system but could introduce security vulnerabilities if left enabled.

This control helps reduce the attack surface by limiting the available features and functions that could be exploited by malicious actors. By removing or disabling nonessential components, organizations can enhance system security and ensure compliance with security policies.
Nonessential Functionality (CM.L2-3.4.7[c])

The Nonessential Functionality (Risk Assessment of Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the need for conducting risk assessments specifically for nonessential functionalities within information systems. This control ensures that organizations systematically evaluate and manage the risks associated with these functions during the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[d])

The Nonessential Functionality (Documentation of Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the importance of documenting nonessential functionalities within information systems. This control ensures that organizations maintain comprehensive records of these functions to support risk assessments, monitoring, and decision-making during the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[e])

The Nonessential Functionality (Periodic Review of Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the need for organizations to conduct regular reviews of nonessential functionalities within information systems. This control ensures that these functions are periodically reassessed to account for changes in organizational requirements, system configurations, and potential risks during the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[f])

The Nonessential Functionality (Disposal of Unnecessary Functions) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing processes to identify, evaluate, and dispose of unnecessary functions within information systems. This control ensures that nonessential functions are removed securely and efficiently, reducing the potential attack surface during the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[g])

The Nonessential Functionality (Verification of Disposal for Unnecessary Functions) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing verification processes to ensure the secure disposal of unnecessary functions. This control ensures that organizations can confirm the effective removal of nonessential functions, reducing the potential for security vulnerabilities during the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[h])

The Nonessential Functionality (Continuous Monitoring of Disposal Status) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing continuous monitoring processes to track the disposal status of unnecessary functions. This control ensures that organizations maintain ongoing awareness of the success and effectiveness of the disposal process, minimizing the risk of residual vulnerabilities during the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[i])

The Nonessential Functionality (Incident Reporting for Disposal Anomalies) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing processes for incident reporting specifically related to anomalies in the disposal of unnecessary functions. This control ensures that organizations promptly identify and respond to any irregularities during the disposal process, minimizing the risk of security incidents and vulnerabilities in the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[j])

The Nonessential Functionality (Audit Trail for Disposal Activities) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing audit trail mechanisms for disposal activities related to nonessential functions. This control ensures that organizations maintain detailed records of disposal actions, facilitating accountability, and enabling forensic analysis in case of security incidents during the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[k])

The Nonessential Functionality (Training on Disposal Procedures) subcontrol within Configuration Management (CM) in CMMCv2 focuses on providing training to personnel involved in the disposal of nonessential functions. This control ensures that individuals responsible for disposal activities are adequately trained on procedures, security measures, and compliance requirements, reducing the risk of errors and security incidents during the configuration management process.
Nonessential Functionality (CM.L2-3.4.7[l])

The Nonessential Functionality (Periodic Review of Training Effectiveness) subcontrol within Configuration Management (CM) in CMMCv2 focuses on conducting periodic assessments to evaluate the effectiveness of the training program for personnel involved in the disposal of nonessential functions. This control ensures that training remains current, relevant, and responsive to emerging threats and changes in organizational requirements.
Nonessential Functionality (CM.L2-3.4.7[m])

The Nonessential Functionality (Documentation of Training Records) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing and maintaining comprehensive documentation of training records for personnel involved in the disposal of nonessential functions. This control ensures that organizations have a clear record of training activities, supporting compliance, accountability, and continuous improvement.
Nonessential Functionality (CM.L2-3.4.7[n])

The Nonessential Functionality (Periodic Training Program Review) subcontrol within Configuration Management (CM) in CMMCv2 focuses on conducting periodic reviews of the overall training program for personnel involved in the disposal of nonessential functions. This control ensures that the training program remains effective, relevant, and aligned with organizational objectives over time.
Nonessential Functionality (CM.L2-3.4.7[o])

The Nonessential Functionality (Incident Response for Training Program Anomalies) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing an incident response plan specifically for addressing anomalies or issues identified during the periodic review of the training program. This control ensures that organizations can promptly respond to training program deficiencies, update materials, and improve the overall effectiveness of training for personnel involved in the disposal of nonessential functions.
Application Execution Policy (CM.L2-3.4.8[a])

The Application Execution Policy (Whitelisting) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing a whitelisting approach to control the execution of applications on organizational information systems. This control ensures that only approved and authorized applications are allowed to run, reducing the risk of unauthorized or malicious software.
Application Execution Policy (CM.L2-3.4.8[b])

The Application Execution Policy (Blacklisting) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing a blacklisting approach to control the execution of applications on organizational information systems. This control ensures that known unauthorized or malicious applications are explicitly prohibited from running, reducing the risk of security incidents.
Application Execution Policy (CM.L2-3.4.8[c])

The Application Execution Policy (Greylisting) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing a greylisting approach to control the execution of applications on organizational information systems. This control allows organizations to temporarily delay or scrutinize the execution of applications not included in either the whitelist or blacklist, providing additional scrutiny for unknown or unverified software.
User-Installed Software (CM.L2-3.4.9[a])

The User-Installed Software (Approval Process) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing a formalized approval process for user-installed software on organizational information systems. This control ensures that the introduction of new software aligns with security policies, undergoes proper vetting, and minimizes the risk of security incidents.
User-Installed Software (CM.L2-3.4.9[b])

The User-Installed Software (Monitoring and Enforcement) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing monitoring and enforcement mechanisms for user-installed software on organizational information systems. This control aims to actively monitor software installations by end-users and enforce policies to ensure compliance with security requirements.
User-Installed Software (CM.L2-3.4.9[c])

The User-Installed Software (Risk Assessment) subcontrol within Configuration Management (CM) in CMMCv2 focuses on conducting risk assessments for user-installed software on organizational information systems. This control aims to systematically evaluate the security risks associated with user-installed applications and take appropriate measures to mitigate identified risks.
System Baselining (CM.L2-3.4.1[a])

The System Baselining control (CM.L2-3.4.1[a]) requires organizations to establish and maintain baseline configurations for information systems. A baseline configuration is a formally documented set of specifications for an organization's hardware, software, firmware, and system components. This baseline serves as a reference point for managing system changes and ensuring that systems are configured in a secure and consistent manner.

Establishing baselines helps maintain system integrity by ensuring that any deviations from the secure configuration are identified, reviewed, and authorized. This process is essential for protecting systems that process or store Controlled Unclassified Information (CUI).
System Baselining (CM.L2-3.4.1[b])

The System Baselining (Continuous Monitoring) subcontrol within Configuration Management (CM) in CMMCv2 enhances the traditional baseline approach by incorporating continuous monitoring practices. This ensures real-time visibility into system configurations, facilitating immediate detection and response to unauthorized changes.
System Baselining (CM.L2-3.4.1[c])

The System Baselining (Documentation and Review) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the importance of maintaining comprehensive documentation and conducting regular reviews of the baseline configuration. This ensures that the baseline accurately reflects the current state of the information system and supports effective decision-making.
System Baselining (CM.L2-3.4.1[d])

The System Baselining (Incident Response Integration) subcontrol within Configuration Management (CM) in CMMCv2 focuses on integrating baseline configuration information into incident response processes. This ensures that deviations from the baseline are promptly identified, investigated, and responded to, minimizing the impact of security incidents.
System Baselining (CM.L2-3.4.1[e])

The System Baselining (Continuous Improvement) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing a process for continuous improvement of baseline configurations. This involves regular assessments, feedback loops, and adjustments to enhance the overall effectiveness of the baseline in response to evolving threats and organizational requirements.
System Baselining (CM.L2-3.4.1[f])

The System Baselining (Configuration Versioning) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing versioning practices for baseline configurations. This involves maintaining a historical record of configuration changes, enabling organizations to track modifications, assess their impact, and revert to previous states if necessary.
Security Configuration Enforcement (CM.L2-3.4.2[a])

The Security Configuration Enforcement (Enhanced) subcontrol within Configuration Management (CM) in CMMCv2 extends the basic principles of security configuration enforcement by incorporating advanced measures and technologies. This includes enhanced automation, continuous monitoring, and adaptive security configurations to address evolving threats.
Security Configuration Enforcement (CM.L2-3.4.2[b])

The Security Configuration Enforcement (Advanced Auditing) subcontrol within Configuration Management (CM) in CMMCv2 enhances security configuration enforcement by focusing on advanced auditing practices. This involves implementing robust auditing mechanisms to track and analyze changes to security configurations, aiding in incident response and accountability.
System Change Management (CM.L2-3.4.3[a])

The System Change Management (Enhanced Documentation) subcontrol within Configuration Management (CM) in CMMCv2 enhances the basic principles of change management by emphasizing the importance of comprehensive documentation throughout the change management process. This includes detailed records of change requests, assessments, approvals, testing, and implementation.
System Change Management (CM.L2-3.4.3[b])

The System Change Management (Automated Change Approval) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the use of automated processes for change approval. This involves implementing technologies and workflows to streamline and accelerate the approval process for changes, ensuring efficiency while maintaining security and compliance.
System Change Management (CM.L2-3.4.3[c])

The System Change Management (Continuous Monitoring) subcontrol within Configuration Management (CM) in CMMCv2 focuses on integrating continuous monitoring practices into the change management process. This involves real-time tracking of changes, assessing their impact, and ensuring ongoing compliance with security policies.
System Change Management (CM.L2-3.4.3[d])

The System Change Management (Incident Response Integration) subcontrol within Configuration Management (CM) in CMMCv2 enhances the change management process by integrating it with incident response procedures. This involves aligning change management practices with incident response efforts to effectively address and recover from unexpected issues or security incidents resulting from changes.
Security Impact Analysis (CM.L2-3.4.4)

The Security Impact Analysis subcontrol within Configuration Management (CM) in CMMCv2 focuses on conducting thorough analyses to assess the security impacts of proposed changes to information systems. This involves evaluating how changes may affect the confidentiality, integrity, and availability of sensitive information and system resources.
Access Restrictions for Change (CM.L2-3.4.5[a])

The Access Restrictions for Change (Enhanced Authentication) subcontrol within Configuration Management (CM) in CMMCv2 builds upon the basic principles of access restrictions during the change process. This subcontrol specifically focuses on strengthening authentication measures to further enhance the security of configuration items during changes. By implementing enhanced authentication mechanisms, organizations aim to ensure that only authorized individuals with the appropriate credentials can access and modify configuration items.
Access Restrictions for Change (CM.L2-3.4.5[b])

The Access Restrictions for Change (Role-Based Access Control) subcontrol within Configuration Management (CM) in CMMCv2 focuses on refining access restrictions during the change process through the implementation of role-based access control (RBAC). This control ensures that individuals have access rights based on their specific roles or responsibilities within the change management workflow, reducing the risk of unauthorized modifications.
Access Restrictions for Change (CM.L2-3.4.5[c])

The Access Restrictions for Change (Temporal Access Controls) subcontrol within Configuration Management (CM) in CMMCv2 extends access restrictions during the change process by implementing temporal access controls. This ensures that access to configuration items is granted only for a specific duration, reducing the risk of prolonged or unauthorized access.
Access Restrictions for Change (CM.L2-3.4.5[d])

The Access Restrictions for Change (Privileged Access Management) subcontrol within Configuration Management (CM) in CMMCv2 aims to enhance access restrictions during the change process by implementing privileged access management. This involves controlling and monitoring access to configuration items, particularly for individuals with elevated privileges, ensuring that such access is carefully managed to prevent unauthorized or inappropriate changes.
Access Restrictions for Change (CM.L2-3.4.5[e])

The Access Restrictions for Change (Encryption of Configuration Data) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the importance of protecting configuration data during the change process by implementing encryption measures. This ensures that unauthorized access to configuration items is further restricted, and the confidentiality and integrity of sensitive information are maintained.
Access Restrictions for Change (CM.L2-3.4.5[f])

The Access Restrictions for Change (Logging and Monitoring) subcontrol within Configuration Management (CM) in CMMCv2 focuses on enhancing access restrictions during the change process by implementing robust logging and monitoring mechanisms. This ensures that all access to configuration items is logged, monitored, and analyzed for any suspicious or unauthorized activities.
Access Restrictions for Change (CM.L2-3.4.5[g])

The Access Restrictions for Change (Geo-fencing) subcontrol within Configuration Management (CM) in CMMCv2 introduces geographically-based access restrictions during the change process. This involves defining geographical boundaries within which authorized individuals are allowed access to configuration items, limiting access from unauthorized locations.
Access Restrictions for Change (CM.L2-3.4.5[h])

The Access Restrictions for Change (User Behavior Analytics) subcontrol within Configuration Management (CM) in CMMCv2 focuses on leveraging user behavior analytics to enhance access restrictions during the change process. By analyzing patterns of user behavior, organizations can detect anomalies, unusual activities, and potential unauthorized changes to configuration items.
Least Functionality (CM.L2-3.4.6[a])

The Least Functionality control (CM.L2-3.4.6[a]) requires organizations to configure their information systems to provide only the essential functions necessary for their intended purpose, minimizing unnecessary features, services, and software. The principle of least functionality ensures that systems are limited to their minimal operational needs, which helps reduce the potential attack surface by disabling or removing unused services and features that could be exploited by attackers.

This control is designed to enhance system security by ensuring that only necessary components are active and authorized, thereby reducing vulnerabilities and improving overall system stability and security.

Provides training to staff on security best practices, ensuring they understand and adhere to organizational security policies.

Role-Based Risk Awareness (AT.L2-3.2.1[a])

The Role-Based Risk Awareness (Customized Training) subcontrol within Awareness and Training (AT) in CMMCv2 emphasizes the need for organizations to tailor their risk awareness training programs to address specific roles within the organization. This control ensures that training content is customized to the unique responsibilities and risks associated with each role.
Role-Based Risk Awareness (AT.L2-3.2.1[b])

The Role-Based Risk Awareness (Assessment and Feedback) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on establishing mechanisms for assessing the effectiveness of role-based risk awareness training and providing feedback to individuals in various roles. This control ensures continuous improvement by evaluating the impact of training on personnel's ability to understand and address role-specific risks.
Role-Based Risk Awareness (AT.L2-3.2.1[c])

The Role-Based Risk Awareness (Reinforcement and Integration) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on reinforcing role-based risk awareness through ongoing education and integrating risk considerations into day-to-day operations. This control ensures that personnel maintain a heightened awareness of risks associated with their roles and consistently apply best practices in their activities.
Role-Based Risk Awareness (AT.L2-3.2.1[d])

The Role-Based Risk Awareness (Measurement and Evaluation) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on implementing measurement and evaluation mechanisms to assess the effectiveness of role-based risk awareness training. This control ensures that organizations have quantifiable metrics to gauge the impact of training on individuals in various roles and make data-driven improvements.
Role-Based Training (AT.L2-3.2.2[a])

The Role-Based Training (Content Customization) subcontrol within Awareness and Training (AT) in CMMCv2 emphasizes the need for organizations to customize training content to address the unique knowledge and skills required for various roles. This control ensures that training materials are tailored to the specific responsibilities of individuals, making the learning experience more relevant and effective.
Role-Based Training (AT.L2-3.2.2[b])

The Role-Based Training (Delivery Methods) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on selecting and implementing appropriate delivery methods for role-based cybersecurity training. This control ensures that training is delivered in a manner that is effective and engaging, considering the unique characteristics and preferences of individuals in different roles.
Role-Based Training (AT.L2-3.2.2[c])

The Role-Based Training (Evaluation and Feedback) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on assessing the effectiveness of role-based cybersecurity training and obtaining feedback from individuals in various roles. This control ensures a continuous improvement loop by evaluating the impact of training and incorporating feedback to enhance future training programs.
Insider Threat Awareness (AT.L2-3.2.3[a])

The Insider Threat Awareness (Tailored Training for Roles) subcontrol within Awareness and Training (AT) in CMMCv2 emphasizes the need for tailored training programs addressing insider threat awareness based on specific roles within an organization. This control ensures that personnel understand the unique insider threat risks associated with their job functions and are equipped to recognize and report potential threats.
Insider Threat Awareness (AT.L2-3.2.3[b])

The Insider Threat Awareness (Reporting Mechanisms) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on establishing and promoting effective reporting mechanisms for personnel to report potential insider threat activities. This control ensures that individuals are aware of the proper channels for reporting suspicions, thereby facilitating prompt response and mitigation.

Maintains and reviews audit logs to monitor system activity, ensuring actions are traceable and supporting incident detection.

System Auditing (AU.L2-3.3.1[a])

System Auditing (AU.L2-3.3.1[a]) requires organizations to create, enable, and maintain audit logs on information systems to record security-relevant events. The purpose of system auditing is to provide a traceable and verifiable record of system activities, which can be used to detect unauthorized access, anomalies, and other potential security incidents. Audit logs are critical for accountability and help ensure that systems handling Controlled Unclassified Information (CUI) operate securely and in compliance with regulatory standards.

System auditing helps ensure that security events such as login attempts, changes to configurations, access to sensitive data, and other system activities are documented for analysis and investigation, providing the foundation for incident response and forensic activities.
System Auditing (AU.L2-3.3.1[b])

The System Auditing (Manual Analysis) subcontrol within the Audit and Accountability (AU) domain of CMMCv2 emphasizes the importance of manual analysis in the auditing process. This control ensures that organizations supplement automated tools with human expertise to thoroughly review and interpret audit logs for a deeper understanding of system activities.
System Auditing (AU.L2-3.3.1[c])

The System Auditing (Continuous Improvement) subcontrol within the Audit and Accountability (AU) domain of CMMCv2 emphasizes the need for organizations to continually enhance their system auditing processes. This control ensures that organizations establish mechanisms for ongoing improvement, staying adaptive to evolving threats and changes in their information systems.
System Auditing (AU.L2-3.3.1[d])

System Auditing (AU.L2-3.3.1[d]) requires organizations to protect the integrity of audit logs and audit information from unauthorized access, modification, and deletion. This control ensures that audit logs, which provide critical insight into the security activities and events of an organization’s systems, are safeguarded so that they can be trusted as accurate and reliable sources of evidence in the event of an investigation or audit.

This subcontrol emphasizes the protection of audit records from malicious tampering, accidental deletion, or unauthorized access, which could undermine their value in detecting security incidents or ensuring accountability.
System Auditing (AU.L2-3.3.1[e])

System Auditing (Audit Log Protection) focuses on safeguarding audit logs generated by information systems. It involves measures to ensure the confidentiality, integrity, and availability of audit logs to prevent unauthorized access, tampering, or deletion.
System Auditing (AU.L2-3.3.1[f])

System Auditing (AU.L2-3.3.1[f]) is a subcontrol within the Audit and Accountability domain of the CMMCv2 framework. This subcontrol focuses on the implementation of auditing mechanisms for information systems. It requires organizations to conduct systematic reviews and analysis of audit logs generated by various system components to detect and respond to security events, unauthorized activities, and potential vulnerabilities.
User Accountability (AU.L2-3.3.2[a])

User Accountability (AU.L2-3.3.2[a]) is a subcontrol under the Audit and Accountability control in the CMMCv2 framework. This subcontrol focuses on establishing mechanisms to uniquely identify and track the actions of individual users within an information system. The goal is to enhance accountability, traceability, and the ability to attribute actions to specific users, thereby supporting incident investigation and deterrence of unauthorized activities.
User Accountability (AU.L2-3.3.2[b])

AU.L2-3.3.2[b] focuses on establishing and maintaining user accountability within an organization's information systems. This subcontrol aims to track and attribute user actions to specific individuals, ensuring transparency, accountability, and the ability to investigate security incidents effectively.
Event Review (AU.L2-3.3.3[a])

The Event Review subcontrol (AU.L2-3.3.3[a]) focuses on the systematic and timely review of audit records to identify and respond to security events. This includes analyzing logs, reports, and alerts generated by audit mechanisms to ensure that anomalies, incidents, and potential indicators of compromise are promptly identified and addressed. The goal is to enhance the organization's ability to detect and mitigate security threats through effective event review practices.
Event Review (AU.L2-3.3.3[b])

Event Review, a subset of the Audit and Accountability domain within CMMCv2, focuses on the systematic examination of recorded events and activities within an organization's information systems. This specific subcontrol, AU.L2-3.3.3[b], emphasizes a more targeted aspect of event review, possibly related to specific event types or sources.
Event Review (AU.L2-3.3.3[c])

Event Review, a crucial subcontrol within the Audit and Accountability domain of CMMCv2, entails the systematic examination of recorded events and activities within an organization's information systems. AU.L2-3.3.3[c] specifies additional criteria or sources for a more nuanced approach to event analysis.
Audit Failure Alerting (AU.L2-3.3.4[a])

Automated Audit Failure Alerting, a specific aspect within the broader Audit and Accountability domain of CMMCv2, focuses on establishing automated mechanisms to promptly detect and alert stakeholders about failures in the auditing process. This subcontrol, AU.L2-3.3.4[a], emphasizes the use of automated tools and processes for real-time monitoring.
Audit Failure Alerting (AU.L2-3.3.4[b])

Manual Audit Failure Alerting, a specific facet within the Audit and Accountability domain of CMMCv2, emphasizes the establishment of procedures for manual detection and alerting in response to failures in the auditing process. AU.L2-3.3.4[b] highlights scenarios where automated tools may not suffice, requiring human intervention for nuanced analysis.
Audit Failure Alerting (AU.L2-3.3.4[c])

Escalation Procedures for Audit Failure Alerts, a specific aspect within the Audit and Accountability domain of CMMCv2, focuses on establishing clear processes for escalating and managing audit failure alerts. AU.L2-3.3.4[c] ensures that organizations have structured procedures in place to address audit failures promptly and effectively.
Audit Correlation (AU.L2-3.3.5[a])

The AU.L2-3.3.5[a] subcontrol within the Audit and Accountability domain of CMMCv2 focuses on enhancing the organization's capability to correlate specific types of audit records. By implementing targeted correlation mechanisms, this subcontrol aims to provide a more detailed and context-rich analysis of selected audit events, contributing to improved threat detection and incident response.
Audit Correlation (AU.L2-3.3.5[b])

The AU.L2-3.3.5[b] subcontrol within the Audit and Accountability domain of CMMCv2 focuses on enhancing the organization's ability to correlate specific audit events. By concentrating on identified critical events, this subcontrol aims to provide a targeted and efficient approach to detecting security incidents and improving incident response capabilities.
Reduction & Reporting (AU.L2-3.3.6[a])

AU.L2-3.3.6[a] is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on the implementation of automated log reduction mechanisms. This subcontrol aims to streamline the analysis of audit logs by automating the process of reducing unnecessary log volumes while retaining critical information. By leveraging automated mechanisms, organizations can enhance their ability to identify and respond to security incidents efficiently.
Reduction & Reporting (AU.L2-3.3.6[b])

AU.L2-3.3.6[b] is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on the reporting aspect of critical audit events. This subcontrol emphasizes the need for organizations to establish clear mechanisms for reporting on identified critical events in the audit logs. By implementing effective reporting procedures, organizations can enhance their situational awareness and improve incident response capabilities.
Authoritative Time Source (AU.L2-3.3.7[a])

AU.L2-3.3.7[a] is a subcontrol within the Audit and Accountability domain of CMMCv2, specifically focusing on the secure configuration of the authoritative time source. This subcontrol aims to ensure that the designated authoritative time source is not only accurate but also configured securely to prevent tampering and unauthorized alterations.
Authoritative Time Source (AU.L2-3.3.7[b])

AU.L2-3.3.7[b] is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on the establishment of monitoring and alerting capabilities for the authoritative time source. This subcontrol aims to ensure that organizations are proactively aware of any issues or anomalies related to the designated authoritative time source.
Authoritative Time Source (AU.L2-3.3.7[c])

AU.L2-3.3.7[c] is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on incident response and recovery procedures related to the authoritative time source. This subcontrol ensures that organizations are prepared to swiftly respond to incidents affecting the time source and can recover normal operations with minimal disruption.
Audit Protection (AU.L2-3.3.8[a])

This subcontrol focuses on ensuring the protection of audit information and the prevention of unauthorized access to audit logs. Proper protection of audit information is crucial for maintaining the integrity and reliability of the audit trail, which is essential for detecting and responding to security incidents. The subcontrol specifically addresses protections related to audit information stored in remote locations.
Audit Protection (AU.L2-3.3.8[b])

The Audit Protection subcontrol (AU.L2-3.3.8[b]) is designed to establish measures that ensure the protection of audit information from unauthorized access, modification, or deletion. By implementing robust safeguards for audit logs and records, organizations enhance the integrity, confidentiality, and availability of crucial information used for monitoring, compliance, and incident response.
Audit Protection (AU.L2-3.3.8[c])

The Audit Protection subcontrol (AU.L2-3.3.8[c]) addresses measures for safeguarding audit information to prevent unauthorized access, modification, or deletion. This includes protection mechanisms for audit logs and records to maintain the integrity, confidentiality, and availability of critical information used for monitoring and incident response.
Audit Protection (AU.L2-3.3.8[d])

The Audit Protection subcontrol (AU.L2-3.3.8[d]) addresses measures to safeguard audit information against unauthorized access, modification, or deletion. It emphasizes protection mechanisms for audit logs and records to ensure their integrity, confidentiality, and availability. This subcontrol contributes to the overall reliability of audit trails critical for monitoring, compliance, and incident response.
Audit Protection (AU.L2-3.3.8[e])

The Audit Protection subcontrol (AU.L2-3.3.8[e]) focuses on implementing measures to secure audit information against unauthorized access, modification, or deletion. It emphasizes protection mechanisms for audit logs and records to ensure their integrity, confidentiality, and availability. This subcontrol plays a crucial role in maintaining the trustworthiness of audit trails, which are essential for monitoring, compliance, and incident response.
Audit Protection (AU.L2-3.3.8[f])

The Audit Protection subcontrol (AU.L2-3.3.8[f]) is designed to establish measures that ensure the protection of audit information from unauthorized access, modification, or deletion. By implementing robust safeguards for audit logs and records, organizations enhance the integrity, confidentiality, and availability of crucial information used for monitoring, compliance, and incident response.
Audit Management (AU.L2-3.3.9[a])

The Audit Management subcontrol (AU.L2-3.3.9[a]) is designed to establish and maintain a structured and comprehensive audit management program. This subcontrol emphasizes the importance of systematic planning, organizing, directing, and controlling audit activities to ensure the effectiveness of the audit process. It aims to support organizational goals, compliance requirements, and incident response through well-managed audit practices.
Audit Management (AU.L2-3.3.9[b])

The Audit Management subcontrol (AU.L2-3.3.9[b]) focuses on establishing and maintaining a structured and comprehensive audit management program. It emphasizes systematic planning, organizing, directing, and controlling audit activities to ensure the effectiveness of the audit process. This subcontrol aims to support organizational goals, compliance requirements, and incident response through well-managed audit practices.

Implements controls to manage who can access systems, limiting access to authorized users and protecting sensitive information.

Authorized Access Control (AC.L1-3.1.1[a])

The Authorized Access Control subcontrol (AC.L1-3.1.1[a]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.
Authorized Access Control (AC.L1-3.1.1[b])

The Authorized Access Control subcontrol (AC.L1-3.1.1[b]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.
Authorized Access Control (AC.L1-3.1.1[c])

The Authorized Access Control subcontrol (AC.L1-3.1.1[c]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.
Authorized Access Control (AC.L1-3.1.1[d])

The Authorized Access Control subcontrol (AC.L1-3.1.1[d]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.
Authorized Access Control (AC.L1-3.1.1[e])

The Authorized Access Control subcontrol (AC.L1-3.1.1[e]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.
Authorized Access Control (AC.L1-3.1.1[f])

The Authorized Access Control subcontrol (AC.L1-3.1.1[f]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.
Transaction & Function Control (AC.L1-3.1.2[a])

The Transaction & Function Control subcontrol (AC.L1-3.1.2[a]) focuses on implementing measures to regulate and control specific transactions and functions within an information system. This subcontrol ensures that users are authorized to perform only designated actions, preventing unauthorized or inappropriate activities that could compromise the integrity and confidentiality of data.
Transaction & Function Control (AC.L1-3.1.2[b])

The Transaction & Function Control subcontrol (AC.L1-3.1.2[b]) focuses on implementing measures to regulate and control specific transactions and functions within an information system. This subcontrol ensures that users are authorized to perform only designated actions, preventing unauthorized or inappropriate activities that could compromise the integrity and confidentiality of data.
External Connections (AC.L1-3.1.20[a])

The External Connections subcontrol (AC.L1-3.1.20[a]) addresses specific measures to manage and control access to an information system from external entities. It focuses on enhancing the security of external connections by implementing access controls, authentication mechanisms, and encryption protocols. This subcontrol aims to ensure that interactions with external networks are secure, authorized, and aligned with organizational security policies.
External Connections (AC.L1-3.1.20[b])

The External Connections subcontrol (AC.L1-3.1.20[b]) focuses on implementing specific measures to manage and control access to an information system from external entities. This subcontrol aims to enhance the security of external connections by implementing access controls, authentication mechanisms, and encryption protocols. It addresses the need for a tailored approach to managing external interactions, ensuring that these connections are secure, authorized, and compliant with organizational security policies.
External Connections (AC.L1-3.1.20[c])

The External Connections subcontrol (AC.L1-3.1.20[c]) focuses on implementing specific measures to manage and control access to an information system from external entities. This subcontrol aims to enhance the security of external connections by implementing access controls, authentication mechanisms, and encryption protocols. It addresses the need for a tailored approach to managing external interactions, ensuring that these connections are secure, authorized, and compliant with organizational security policies.
External Connections (AC.L1-3.1.20[d])

The External Connections subcontrol (AC.L1-3.1.20[d]) is designed to implement specific measures for managing and controlling access to an information system from external entities. This subcontrol focuses on enhancing the security of external connections through the implementation of access controls, authentication mechanisms, and encryption protocols. It emphasizes the need for a tailored approach to managing external interactions to ensure secure, authorized, and compliant connections with external entities.
External Connections (AC.L1-3.1.20[e])

The External Connections subcontrol (AC.L1-3.1.20[e]) is designed to implement specific measures for managing and controlling access to an information system from external entities. This subcontrol focuses on enhancing the security of external connections through the implementation of access controls, authentication mechanisms, and encryption protocols. It emphasizes the need for a tailored approach to managing external interactions to ensure secure, authorized, and compliant connections with external entities.
External Connections (AC.L1-3.1.20[f])

The External Connections subcontrol (AC.L1-3.1.20[f]) is designed to implement specific measures for managing and controlling access to an information system from external entities. This subcontrol focuses on enhancing the security of external connections through the implementation of access controls, authentication mechanisms, and encryption protocols. It emphasizes the need for a tailored approach to managing external interactions to ensure secure, authorized, and compliant connections with external entities
Control Public Information (AC.L1-3.1.22[a])

The Control Public Information subcontrol (AC.L1-3.1.22[a]) focuses on implementing measures to control access to public information. This specific aspect emphasizes the need to clearly identify information intended for public disclosure and implement appropriate access controls to safeguard the integrity, confidentiality, and availability of such information.
Control Public Information (AC.L1-3.1.22[b])

The Control Public Information subcontrol (AC.L1-3.1.22[b]) focuses on implementing measures to control access to public information. This specific aspect emphasizes the need to clearly identify information intended for public disclosure and implement appropriate access controls to safeguard the integrity, confidentiality, and availability of such information.
Control Public Information (AC.L1-3.1.22[c])

The Control Public Information subcontrol (AC.L1-3.1.22[c]) is designed to implement measures for controlling access to information intended for public disclosure. It emphasizes the importance of identifying and managing public information to prevent unauthorized access, modification, or disclosure while ensuring the confidentiality and integrity of such information.
Control Public Information (AC.L1-3.1.22[d])

The Control Public Information subcontrol (AC.L1-3.1.22[d]) is designed to implement measures for controlling access to information intended for public disclosure. It emphasizes the importance of identifying and managing public information to prevent unauthorized access, modification, or disclosure while ensuring the confidentiality and integrity of such information.
Control Public Information (AC.L1-3.1.22[e])

The Control Public Information subcontrol (AC.L1-3.1.22[e]) is designed to implement measures for controlling access to information intended for public disclosure. It emphasizes the importance of identifying and managing public information to prevent unauthorized access, modification, or disclosure while ensuring the confidentiality and integrity of such information.
Privacy & Security Notices (AC.L2-3.1.9[a])

The Privacy & Security Notices subcontrol (AC.L2-3.1.9[a]) focuses on implementing measures to provide clear and concise privacy and security notices to users accessing an information system. This specific aspect addresses the creation and maintenance of notices that specifically articulate user responsibilities, acceptable use policies, and relevant regulatory requirements.
Privacy & Security Notices (AC.L2-3.1.9[b])

The Privacy & Security Notices subcontrol (AC.L2-3.1.9[b]) focuses on implementing measures to provide clear and concise privacy and security notices to users accessing an information system. This specific aspect addresses the proper display and accessibility of these notices to ensure that users can easily access and understand the information provided.
Portable Storage Use (AC.L2-3.1.21[a])

The Portable Storage Use subcontrol (AC.L2-3.1.21[a]) specifically addresses the authorization and control of portable storage devices within an organization's information system. This entails defining and maintaining a list of authorized devices, ensuring that only approved portable storage media are used to minimize the risk of unauthorized data transfer, introduction of malware, and potential security incidents.
Portable Storage Use (AC.L2-3.1.21[b])

The Portable Storage Use subcontrol (AC.L2-3.1.21[b]) addresses the implementation of access controls to restrict the use of unauthorized portable storage devices within an organization's information system. This entails setting up mechanisms to monitor and audit the use of portable storage media, ensuring compliance with policies and preventing potential security risks.
Portable Storage Use (AC.L2-3.1.21[c])

The Portable Storage Use subcontrol (AC.L2-3.1.21[c]) focuses on establishing procedures for the regular review and update of the list of authorized portable storage devices. This includes assessing and adjusting the list based on security assessments, changes in technology, and operational needs to ensure ongoing protection against potential risks.
Least Privilege (AC.L2-3.1.5[a])

AC.L2-3.1.5[a] focuses on the principle of least privilege, which ensures that individuals and systems are granted only the minimum level of access necessary to perform their authorized tasks. This subcontrol aims to reduce the risk of unauthorized access, limit potential damage from accidental or intentional actions, and enhance overall system security.
Least Privilege (AC.L2-3.1.5[b])

The Least Privilege subcontrol (AC.L2-3.1.5[b]) extends the principle of least privilege to include the restriction of access rights for processes within an information system. It focuses on ensuring that processes, applications, and services operate with the minimum necessary privileges to perform their designated functions. This control further reduces the attack surface by limiting the potential impact of security incidents involving compromised processes.
Least Privilege (AC.L2-3.1.5[c])

The Least Privilege subcontrol (AC.L2-3.1.5[c]) extends the application of the principle of least privilege to system services. It involves restricting the access rights and privileges of system services to the minimum necessary for their proper functioning. By limiting the privileges granted to system services, organizations can minimize the potential impact of security incidents and reduce the attack surface.
Least Privilege (AC.L2-3.1.5[d])

The Least Privilege subcontrol (AC.L2-3.1.5[d]) emphasizes the application of the principle of least privilege to data repositories. It involves restricting access rights and privileges to data repositories to the minimum necessary for users, processes, and system services. By implementing least privilege principles for data access, organizations can enhance data security, prevent unauthorized access, and minimize the impact of potential security incidents.
Non-Privileged Account Use (AC.L2-3.1.6[a])

The Non-Privileged Account Use subcontrol (AC.L2-3.1.6[a]) focuses on ensuring the use of non-privileged accounts for specific administrative activities. It is designed to minimize the risk associated with elevated privileges by restricting the use of privileged accounts only when necessary for authorized administrative tasks. This control contributes to overall access control measures, reducing the attack surface and mitigating potential security incidents.
Non-Privileged Account Use (AC.L2-3.1.6[b])

The Non-Privileged Account Use subcontrol (AC.L2-3.1.6[b]) emphasizes the principle of using non-privileged accounts for non-administrative tasks. It focuses on restricting the use of accounts with elevated privileges to only those activities that require administrative access. By enforcing non-privileged account usage for routine user tasks, this control helps minimize the potential for unauthorized access and enhances overall access control measures.
Unsuccessful Logon Attempts (AC.L2-3.1.8[a])

The Unsuccessful Logon Attempts subcontrol (AC.L2-3.1.8[a]) focuses on configuring systems to log and monitor unsuccessful login attempts with a specific emphasis on administrator accounts. It aims to provide heightened scrutiny to potential unauthorized access to critical administrator accounts, enhancing access control measures and protecting sensitive administrative privileges.
Unsuccessful Logon Attempts (AC.L2-3.1.8[b])

The Unsuccessful Logon Attempts subcontrol (AC.L2-3.1.8[b]) focuses on configuring systems to log and monitor unsuccessful login attempts for regular user accounts. It aims to enhance access control measures by promptly detecting and responding to potential unauthorized access, thereby safeguarding against brute force attacks and other security threats targeted at user accounts.
Session Lock (AC.L2-3.1.10[a])

The Session Lock subcontrol (AC.L2-3.1.10[a]) emphasizes the configuration of systems to automatically initiate a session lock after a defined period of inactivity for privileged accounts. It aims to strengthen access control measures by ensuring that sensitive privileged sessions are secure, even when users are temporarily away from their systems. This control is essential for preventing unauthorized access and protecting critical information handled by privileged accounts.
Session Lock (AC.L2-3.1.10[b])

The Session Lock subcontrol (AC.L2-3.1.10[b]) emphasizes the configuration of systems to automatically initiate a session lock after a defined period of inactivity for regular user accounts. It aims to enhance access control measures by ensuring that sensitive information in regular user sessions is secure, even when users are temporarily away from their systems. This control is crucial for preventing unauthorized access and protecting the confidentiality of information handled by regular users.
Session Lock (AC.L2-3.1.10[c])

The Session Lock subcontrol (AC.L2-3.1.10[c]) focuses on configuring systems to automatically initiate a session lock after a defined period of inactivity for privileged and regular user accounts. It aims to strengthen overall access control measures by ensuring the security of both privileged and regular user sessions. This control is essential for preventing unauthorized access, protecting sensitive information, and maintaining the confidentiality and integrity of user sessions.
Wireless Access Authorization (AC.L2-3.1.16[a])

The Wireless Access Authorization subcontrol (AC.L2-3.1.16[a]) focuses specifically on authorizing and managing the use of wireless access points for regular user accounts. It aims to enhance access control measures by ensuring that wireless networks are securely configured and monitored, reducing the risk of unauthorized access to sensitive information transmitted over these networks. This control is essential for maintaining the confidentiality, integrity, and availability of data accessed through wireless communication.
Wireless Access Authorization (AC.L2-3.1.16[b])

The Wireless Access Authorization subcontrol (AC.L2-3.1.16[b]) specifically addresses the authorization and management of wireless access points for privileged user accounts. It aims to enhance access control measures by ensuring that wireless networks designated for privileged users are securely configured and monitored, minimizing the risk of unauthorized access to sensitive information transmitted over these networks. This control is critical for maintaining the confidentiality, integrity, and availability of privileged data accessed through wireless communication.
Control Remote Access (AC.L2-3.1.12[a])

The Control Remote Access subcontrol (AC.L2-3.1.12[a]) focuses on establishing a robust framework to control and monitor remote access specifically for regular user accounts. It aims to enhance access control measures by implementing policies and technologies that ensure secure and authorized remote access for individuals with regular user privileges. This control is essential for preventing unauthorized access, safeguarding data integrity, and maintaining the confidentiality of information accessed remotely by regular users.
Control Remote Access (AC.L2-3.1.12[b])

The Control Remote Access subcontrol (AC.L2-3.1.12[b]) specifically focuses on establishing a robust framework to control and monitor remote access for privileged user accounts. It aims to enhance access control measures by implementing policies and technologies that ensure secure and authorized remote access for individuals with privileged user privileges. This control is critical for preventing unauthorized access, safeguarding data integrity, and maintaining the confidentiality of privileged information accessed remotely.
Control Remote Access (AC.L2-3.1.12[c])

The Control Remote Access subcontrol (AC.L2-3.1.12[c]) addresses the need for controlling and monitoring remote access for privileged administrators specifically. It enhances access control measures by establishing policies and implementing technologies to secure and authorize remote access for administrators with elevated privileges. This control is crucial for preventing unauthorized access, protecting sensitive data, and ensuring the confidentiality and integrity of information accessed remotely by privileged administrators.
Control Remote Access (AC.L2-3.1.12[d])

The Control Remote Access subcontrol (AC.L2-3.1.12[d]) focuses on enhancing access control measures by specifically addressing remote access for regular users. It involves the development and implementation of policies and technologies to control and monitor remote access, ensuring secure and authorized connections for individuals with regular user privileges. This control is essential for preventing unauthorized access, protecting sensitive data, and maintaining the confidentiality and integrity of information accessed remotely by regular users
Remote Access Routing (AC.L2-3.1.14[a])

The Remote Access Routing subcontrol (AC.L2-3.1.14[a]) focuses on the secure management of routing for remote access connections to organizational systems, specifically addressing the routing of remote access for privileged users. It involves the development and implementation of policies and technologies to control and monitor the routing of privileged user remote connections, ensuring adherence to secure configurations and approved pathways. This control is crucial for preventing unauthorized access, safeguarding sensitive data, and maintaining the confidentiality and integrity of information accessed remotely by privileged users.
Remote Access Routing (AC.L2-3.1.14[b])

The Remote Access Routing subcontrol (AC.L2-3.1.14[b]) focuses on the secure management of routing for remote access connections to organizational systems, specifically addressing the routing of regular user remote access. It involves the development and implementation of policies and technologies to control and monitor the routing of regular user remote connections, ensuring adherence to secure configurations and approved pathways. This control is crucial for preventing unauthorized access, safeguarding sensitive data, and maintaining the confidentiality and integrity of information accessed remotely by regular users.
Control CUI Flow (AC.L2-3.1.3[a])

The Control CUI Flow subcontrol (AC.L2-3.1.3[a]) specifically addresses the controlled flow of Controlled Unclassified Information (CUI) within an organization's systems, focusing on privileged users' access to and handling of CUI. It entails the development and implementation of policies, procedures, and technologies to manage and restrict the flow of CUI, ensuring that access is granted only to authorized privileged users. This control is crucial for protecting sensitive information, meeting compliance requirements, and upholding the confidentiality and integrity of CUI.
Control CUI Flow (AC.L2-3.1.3[b])

The Control CUI Flow subcontrol (AC.L2-3.1.3[b]) focuses on the controlled flow of Controlled Unclassified Information (CUI) within an organization's systems, specifically addressing the handling of CUI by regular users. It entails the development and implementation of policies, procedures, and technologies to manage and restrict the flow of CUI, ensuring that access is granted only to authorized regular users. This control is crucial for protecting sensitive information, meeting compliance requirements, and upholding the confidentiality and integrity of CUI.
Control CUI Flow (AC.L2-3.1.3[c])

The Control CUI Flow subcontrol (AC.L2-3.1.3[c]) addresses the controlled flow of Controlled Unclassified Information (CUI) within an organization's systems, specifically focusing on the collaboration and sharing of CUI with external entities. It involves the development and implementation of policies, procedures, and technologies to manage and secure the flow of CUI when shared or exchanged with external parties. This control is essential for protecting sensitive information, ensuring compliance with regulatory requirements, and maintaining the confidentiality and integrity of CUI during external collaborations.
Control CUI Flow (AC.L2-3.1.3[d])

The Control CUI Flow subcontrol (AC.L2-3.1.3[d]) emphasizes the need to manage the flow of Controlled Unclassified Information (CUI) within an organization's systems with a specific focus on the prevention of data exfiltration. It involves the development and implementation of policies, procedures, and technologies to detect and prevent unauthorized exfiltration of CUI from the organization. This control is vital for protecting sensitive information, ensuring compliance with regulatory requirements, and maintaining the confidentiality and integrity of CUI by preventing unauthorized data transfers.
Control CUI Flow (AC.L2-3.1.3[e])

The Control CUI Flow subcontrol (AC.L2-3.1.3[e]) addresses the secure and controlled flow of Controlled Unclassified Information (CUI) within an organization's systems with a specific focus on the prevention of unauthorized access. It involves the development and implementation of policies, procedures, and technologies to manage and restrict the flow of CUI within the organization, ensuring that only authorized personnel have access to sensitive information. This control is essential for protecting sensitive data, maintaining compliance with regulatory requirements, and upholding the confidentiality and integrity of CUI.
Wireless Access Protection (AC.L2-3.1.17[a])

Wireless Access Protection (AC.L2-3.1.17[a]) focuses on securing and controlling wireless access points within an organization. This subcontrol specifically addresses the need for strong encryption protocols, authentication mechanisms, and monitoring to safeguard against unauthorized access and potential security risks associated with wireless technologies. By implementing policies, procedures, and technologies, organizations can ensure the confidentiality, integrity, and availability of their wireless networks.
Wireless Access Protection (AC.L2-3.1.17[b])

Wireless Access Protection (AC.L2-3.1.17[b]) addresses the secure configuration and control of wireless access points within an organization. This subcontrol emphasizes the importance of managing and securing configurations to prevent unauthorized access and potential security risks related to wireless technologies. By implementing specific policies, procedures, and technologies, organizations can enhance the resilience of their wireless networks, ensuring the confidentiality, integrity, and availability of data.
Remote Access Confidentiality (AC.L2-3.1.13[a])

Remote Access Confidentiality (AC.L2-3.1.13[a]) focuses on enhancing the confidentiality of data transmitted during remote access sessions within an organization. This subcontrol under the Access Control (AC) domain in the Cybersecurity Maturity Model Certification (CMMC) framework aims to mitigate the risks associated with unauthorized interception and access during remote connections. By implementing specific measures, organizations can secure remote access channels, protecting sensitive information from exposure and ensuring compliance with security and privacy standards.
Remote Access Confidentiality (AC.L2-3.1.13[b])

Remote Access Confidentiality (AC.L2-3.1.13[b]) emphasizes further measures for enhancing the confidentiality of data during remote access sessions within the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol under the Access Control (AC) domain addresses additional considerations and practices to fortify the security of remote connections. By implementing these measures, organizations can reinforce the protection of sensitive information and ensure the integrity of remote access channels against various threats.
Separation of Duties (AC.L2-3.1.4[a])

Separation of Duties (AC.L2-3.1.4[a]) is a specific aspect within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol addresses the need to carefully delineate roles and responsibilities within an organization to prevent conflicts of interest and enhance overall security. By implementing Separation of Duties at a granular level, organizations can significantly reduce the risk of unauthorized access, errors, and fraud, contributing to a more robust access control environment.
Separation of Duties (AC.L2-3.1.4[b])

Separation of Duties (AC.L2-3.1.4[b]) extends the principles of the Access Control (AC) domain within the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol delves into the need for detailed and strategic role management to prevent conflicts and enhance security. By emphasizing the importance of Separation of Duties at a broader organizational level, this subcontrol aims to mitigate risks associated with unauthorized access, errors, and fraudulent activities.
Separation of Duties (AC.L2-3.1.4[c])

Separation of Duties (AC.L2-3.1.4[c]) is a nuanced component within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol specifically addresses the necessity of defining and maintaining separation of duties in a manner that mitigates risks and strengthens security. By focusing on clear role distinctions and responsibilities, Separation of Duties aims to minimize conflicts, prevent unauthorized access, and foster a culture of accountability within the organization.
Privileged Functions (AC.L2-3.1.7[a])

Privileged Functions (AC.L2-3.1.7[a]) is a specific aspect within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol addresses the need to carefully manage and monitor access to critical and privileged functions within an organization's information systems. By implementing measures to control and restrict privileged access, organizations can enhance their overall security posture and protect sensitive data and critical systems from unauthorized or malicious activities.
Privileged Functions (AC.L2-3.1.7[b])

Privileged Functions (AC.L2-3.1.7[b]) constitutes a pivotal element within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the need to regulate and oversee access to crucial privileged functions within an organization's systems. By implementing stringent controls and monitoring mechanisms for these functions, entities can effectively mitigate the risks associated with unauthorized or malicious activities that could compromise critical systems and sensitive data.
Privileged Functions (AC.L2-3.1.7[c])

Privileged Functions (AC.L2-3.1.7[c]) plays a pivotal role within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on the imperative to carefully manage and monitor access to critical privileged functions within an organization's information systems. By implementing stringent controls and comprehensive monitoring mechanisms for these functions, organizations can significantly reduce the risk of unauthorized or malicious activities that may compromise critical systems and sensitive data.
Privileged Functions (AC.L2-3.1.7[d])

Privileged Functions (AC.L2-3.1.7[d]) holds significance within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the critical need to meticulously manage and monitor access to privileged functions within an organization's information systems. By implementing robust controls and continuous monitoring for these functions, organizations can mitigate the risk of unauthorized or malicious activities, safeguarding critical systems and sensitive data.
Session Termination (AC.L2-3.1.11[a])

Session Termination (AC.L2-3.1.11[a]) is a crucial aspect of the Access Control (AC) domain within the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol specifically addresses the need for organizations to define and enforce policies related to the automatic termination of user sessions after a specified period of inactivity. By implementing effective session termination controls, organizations can mitigate the risk of unauthorized access and enhance the overall security posture of their information systems.
Session Termination (AC.L2-3.1.11[b])

Session Termination (AC.L2-3.1.11[b]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the importance of defining and implementing policies for the automatic termination of user sessions after a specified period of inactivity. By addressing the potential security risks associated with inactive sessions, organizations can enhance their overall security posture and minimize the risk of unauthorized access.
Mobile Device Connection (AC.L2-3.1.18[a])

Mobile Device Connection (AC.L2-3.1.18[a]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on establishing policies and controls for managing the connection of mobile devices to organizational information systems. The objective is to ensure that these connections are secure, authorized, and aligned with organizational security policies
Mobile Device Connection (AC.L2-3.1.18[b])

Mobile Device Connection (AC.L2-3.1.18[b]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on implementing technical measures to secure the connection of mobile devices to organizational information systems. The goal is to ensure that these connections adhere to established security policies, protecting against unauthorized access and potential security breaches.
Mobile Device Connection (AC.L2-3.1.18[c])

Mobile Device Connection (AC.L2-3.1.18[c]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on monitoring and auditing mobile device connections to organizational information systems. The objective is to maintain visibility and ensure accountability, detecting and responding to unauthorized or suspicious activities related to mobile device connections.
Privileged Remote Access (AC.L2-3.1.15[a])

Privileged Remote Access (AC.L2-3.1.15[a]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on the implementation of Multi-Factor Authentication (MFA) for privileged remote access to organizational information systems. The objective is to enhance the security of remote connections by requiring multiple forms of authentication, reducing the risk of unauthorized access.
Privileged Remote Access (AC.L2-3.1.15[b])

Privileged Remote Access (AC.L2-3.1.15[b]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on implementing and enforcing access controls for privileged remote access to organizational information systems. The objective is to restrict and manage remote access privileges for individuals with elevated access rights, reducing the risk of unauthorized or inappropriate system access.
Privileged Remote Access (AC.L2-3.1.15[c])

Privileged Remote Access (AC.L2-3.1.15[c]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on the continuous monitoring and auditing of privileged remote access to organizational information systems. The objective is to maintain visibility into remote access activities, detect anomalies, and respond promptly to potential security incidents.
Privileged Remote Access (AC.L2-3.1.15[d])

Privileged Remote Access (AC.L2-3.1.15[d]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on establishing and enforcing secure connections for privileged remote access to organizational information systems. The objective is to ensure the confidentiality and integrity of data during remote sessions involving privileged accounts.
Encrypt CUI on Mobile (AC.L2-3.1.19[a])

Encrypt CUI on Mobile (AC.L2-3.1.19[a]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the need for organizations to implement encryption specifically for Controlled Unclassified Information (CUI) stored on mobile devices. The goal is to enhance the security of sensitive information by ensuring that it remains protected through encryption on mobile platforms.
Encrypt CUI on Mobile (AC.L2-3.1.19[b])

Encrypt CUI on Mobile (AC.L2-3.1.19[b]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the importance of implementing encryption mechanisms tailored for mobile devices to protect Controlled Unclassified Information (CUI) from unauthorized access or exposure. The focus is on ensuring that encryption practices on mobile platforms align with security requirements for sensitive information.

CMMC L2

CMMC L2

Maintenance Personnel (MA.L2-3.7.6)

Nonlocal Maintenance (MA.L2-3.7.5[b])

Nonlocal Maintenance (MA.L2-3.7.5[a])

Media Inspection (MA.L2-3.7.4)

Equipment Sanitization (MA.L2-3.7.3)

System Maintenance Control (MA.L2-3.7.2[d])

System Maintenance Control (MA.L2-3.7.2[c])

System Maintenance Control (MA.L2-3.7.2[b])

System Maintenance Control (MA.L2-3.7.2[a])

Perform Maintenance (MA.L2-3.7.1)

Incident Handling (IR.L2-3.6.1[a])

Incident Handling (IR.L2-3.6.1[b])

Incident Handling (IR.L2-3.6.1[c])

Incident Handling (IR.L2-3.6.1[d])

Incident Handling (IR.L2-3.6.1[e])

Incident Handling (IR.L2-3.6.1[f])

Incident Handling (IR.L2-3.6.1[g])

Incident Reporting (IR.L2-3.6.2[a])

Incident Reporting (IR.L2-3.6.2[b])

Incident Reporting (IR.L2-3.6.2[c])

Incident Reporting (IR.L2-3.6.2[d])

Incident Reporting (IR.L2-3.6.2[e])

Incident Reporting (IR.L2-3.6.2[f])

Incident Response Testing (IR.L2-3.6.3)

Identification (IA.L1-3.5.1[a])

Identification (IA.L1-3.5.1[b])

Identification (IA.L1-3.5.1[c])

Authentication (IA.L1-3.5.2[a])

Authentication (IA.L1-3.5.2[b])

Authentication (IA.L1-3.5.2[c])

Multifactor Authentication (IA.L2-3.5.3[a])

Multifactor Authentication (IA.L2-3.5.3[b])

Multifactor Authentication (IA.L2-3.5.3[c])

Multifactor Authentication (IA.L2-3.5.3[d])

Replay-Resistant Authentication (IA.L2-3.5.4)

Identifier Reuse (IA.L2-3.5.5[a])

Identifier Reuse (IA.L2-3.5.5[b])

Identifier Handling (IA.L2-3.5.6[a])

Identifier Handling (IA.L2-3.5.6[b])

Password Complexity (IA.L2-3.5.7[a])

Password Complexity (IA.L2-3.5.7[b])

Password Complexity (IA.L2-3.5.7[c])

Password Complexity (IA.L2-3.5.7[d])

Password Reuse (IA.L2-3.5.8[a])

Password Reuse (IA.L2-3.5.8[b])

Temporary Passwords (IA.L2-3.5.9)

Cryptographically-Protected Passwords (IA.L2-3.5.10[a])

Cryptographically-Protected Passwords (IA.L2-3.5.10[b])

Obscure Feedback (IA.L2-3.5.11)

System Security Plan (CA.L2-3.12.4[h])

System Security Plan (CA.L2-3.12.4[g])

System Security Plan (CA.L2-3.12.4[f])

System Security Plan (CA.L2-3.12.4[e])

System Security Plan (CA.L2-3.12.4[d])

System Security Plan (CA.L2-3.12.4[c])

System Security Plan (CA.L2-3.12.4[b])

System Security Plan (CA.L2-3.12.4[a])

Security Control Monitoring (CA.L2-3.12.3)

Plan of Action (CA.L2-3.12.2[c])

Plan of Action (CA.L2-3.12.2[b])

Plan of Action (CA.L2-3.12.2[a])

Security Control Assessment (CA.L2-3.12.1[b])

Security Control Assessment (CA.L2-3.12.1[a])

Screen Individuals (PS.L2-3.9.1)

Personnel Actions (PS.L2-3.9.2[a])

Personnel Actions (PS.L2-3.9.2[b])

Personnel Actions (PS.L2-3.9.2[c])

Protect Backups (MP.L2-3.8.9)

Media Protection (MP.L2-3.8.1[a])

Media Protection (MP.L2-3.8.1[b])

Media Protection (MP.L2-3.8.1[c])

Media Protection (MP.L2-3.8.1[d])

Media Access (MP.L2-3.8.2)

Media Disposal (MP.L1-3.8.3[a])

Media Disposal (MP.L1-3.8.3[b])

Media Markings (MP.L2-3.8.4[a])

Media Markings (MP.L2-3.8.4[b])

Media Accountability (MP.L2-3.8.5[a])