CMMC | Compliance | Fluid Attacks Help

CMMC

logo

Summary

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is aimed at measuring the maturity of an organization's cybersecurity processes (process institutionalization). The version used in this section is CMMC 2.0.

Definitions

Definition Requirements
AC_L1-3_1_1. Authorized access control 033. Restrict administrative access
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
227. Display access notification
265. Restrict access to critical processes
AC_L1-3_1_2. Transaction & function control 030. Avoid object reutilization
084. Allow transaction history queries
147. Use pre-existent mechanisms
174. Transactions without a distinguishable pattern
176. Restrict system objects
229. Request access credentials
264. Request authentication
265. Restrict access to critical processes
346. Use initialization vectors once
AC_L1-3_1_20. External connections 092. Use externally signed certificates
262. Verify third-party components
284. Define maximum number of connections
324. Control redirects
330. Verify Subresource Integrity
AC_L1-3_1_22. Control public information 045. Remove metadata when sharing files
123. Restrict the reading of emails
261. Avoid exposing sensitive information
325. Protect WSDL files
364. Provide extended validation (EV) certificates
AC_L2-3_1_3. Control CUI flow 331. Guarantee legal compliance
AC_L2-3_1_4. Separation of duties 033. Restrict administrative access
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
AC_L2-3_1_5. Least privilege 186. Use the principle of least privilege
AC_L2-3_1_6. Non-privileged account use 033. Restrict administrative access
096. Set user's required privileges
AC_L2-3_1_7. Privileged functions 035. Manage privilege modifications
080. Prevent log modification
083. Avoid logging sensitive data
AC_L2-3_1_8. Unsuccessful logon attempts 131. Deny multiple password changing attempts
210. Delete information from mobile devices
225. Proper authentication responses
226. Avoid account lockouts
227. Display access notification
AC_L2-3_1_9. Privacy & security notices 225. Proper authentication responses
227. Display access notification
301. Notify configuration changes
318. Notify third parties of changes
358. Notify upcoming expiration dates
AC_L2-3_1_10. Session lock 027. Allow session lockout
114. Deny access with inactive credentials
144. Remove inactive accounts periodically
AC_L2-3_1_11. Session termination 023. Terminate inactive user sessions
031. Discard user session data
141. Force re-authentication
AC_L2-3_1_12. Control remote access 153. Out of band transactions
213. Allow geographic location
253. Restrict network access
257. Access based on user credentials
377. Store logs based on valid regulation
AC_L2-3_1_13. Remote access confidentiality 147. Use pre-existent mechanisms
172. Encrypt connection strings
181. Transmit data using secure protocols
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
AC_L2-3_1_14. Remote access routing 249. Locate access points
250. Manage access points
320. Avoid client-side control enforcement
AC_L2-3_1_15. Privileged remote access 095. Define users with privileges
096. Set user's required privileges
AC_L2-3_1_16. Wireless access authorization 253. Restrict network access
AC_L2-3_1_17. Wireless access protection 250. Manage access points
252. Configure key encryption
253. Restrict network access
255. Allow access only to the necessary ports
AC_L2-3_1_18. Mobile device connection 205. Configure PIN
206. Configure communication protocols
213. Allow geographic location
AC_L2-3_1_19. Encrypt CUI on mobile 026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
AC_L2-3_1_21. Portable storage use 210. Delete information from mobile devices
214. Allow data destruction
AT_L2-3_2_1. Role-based risk awareness 062. Define standard configurations
077. Avoid disclosing technical information
155. Application free of malicious code
156. Source code without sensitive information
158. Use a secure programming language
161. Define secure default options
167. Close unused resources
171. Remove commented-out code
AU_L2-3_3_1. System audit 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
AU_L2-3_3_2. User accountability 075. Record exceptional events in logs
079. Record exact occurrence time of events
085. Allow session history queries
AU_L2-3_3_3. Event review 075. Record exceptional events in logs
322. Avoid excessive logging
AU_L2-3_3_4. Audit failure alerting 225. Proper authentication responses
301. Notify configuration changes
313. Inform inability to identify users
AU_L2-3_3_7. Authoritative time source 079. Record exact occurrence time of events
363. Synchronize system clocks
AU_L2-3_3_8. Audit protection 080. Prevent log modification
AU_L2-3_3_9. Audit management 095. Define users with privileges
378. Use of log management system
CM_L2-3_4_2. Security configuration enforcement 062. Define standard configurations
266. Disable insecure functionalities
273. Define a fixed security suite
CM_L2-3_4_3. System change management 301. Notify configuration changes
378. Use of log management system
CM_L2-3_4_5. Access restrictions for change 033. Restrict administrative access
176. Restrict system objects
253. Restrict network access
265. Restrict access to critical processes
CM_L2-3_4_6. Least functionality 186. Use the principle of least privilege
CM_L2-3_4_7. Nonessential functionality 167. Close unused resources
CM_L2-3_4_8. Application execution policy 313. Inform inability to identify users
CM_L2-3_4_9. User-installed software 026. Encrypt client-side session information
320. Avoid client-side control enforcement
329. Keep client-side storage without sensitive data
352. Enable trusted execution
375. Remove sensitive data from client-side applications
IA_L1-3_5_2. Authentication 122. Validate credential ownership
229. Request access credentials
264. Request authentication
IA_L2-3_5_3. Multifactor authentication 328. Request MFA for critical systems
362. Assign MFA mechanisms to a single account
IA_L2-3_5_4. Replay-resistant authentication 030. Avoid object reutilization
033. Restrict administrative access
IA_L2-3_5_5. Identifier reuse 030. Avoid object reutilization
140. Define OTP lifespan
335. Define out of band token lifespan
IA_L2-3_5_6. Identifier handling 023. Terminate inactive user sessions
114. Deny access with inactive credentials
144. Remove inactive accounts periodically
369. Set a maximum lifetime in sessions
IA_L2-3_5_7. Password complexity 129. Validate previous passwords
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
334. Avoid knowledge-based authentication
IA_L2-3_5_8. Password reuse 130. Limit password lifespan
332. Prevent the use of breached passwords
IA_L2-3_5_9. Temporary passwords 126. Set a password regeneration mechanism
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
IA_L2-3_5_10. Cryptographically-protected passwords 127. Store hashed passwords
134. Store passwords with salt
209. Manage passwords in cache
380. Define a password management tool
MA_L2-3_7_3. Equipment sanitization 183. Delete sensitive data securely
360. Remove unnecessary sensitive information
MA_L2-3_7_4. Media inspection 041. Scan files for malicious code
155. Application free of malicious code
MA_L2-3_7_5. Nonlocal maintenance 328. Request MFA for critical systems
362. Assign MFA mechanisms to a single account
MP_L1-3_8_3. Media disposal 183. Delete sensitive data securely
315. Provide processed data information
317. Allow erasure requests
318. Notify third parties of changes
360. Remove unnecessary sensitive information
MP_L2-3_8_1. Media protection 153. Out of band transactions
232. Require equipment identity
255. Allow access only to the necessary ports
350. Enable memory protection mechanisms
351. Assign unique keys to each device
362. Assign MFA mechanisms to a single account
MP_L2-3_8_2. Media access 176. Restrict system objects
205. Configure PIN
229. Request access credentials
264. Request authentication
351. Assign unique keys to each device
MP_L2-3_8_5. Media accountability 153. Out of band transactions
181. Transmit data using secure protocols
MP_L2-3_8_6. Portable storage encryption 185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
MP_L2-3_8_7. Removable media 205. Configure PIN
210. Delete information from mobile devices
213. Allow geographic location
214. Allow data destruction
221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
326. Detect rooted devices
MP_L2-3_8_8. Shared media 232. Require equipment identity
PE_L1-3_10_1. Limit physical access 250. Manage access points
257. Access based on user credentials
273. Define a fixed security suite
362. Assign MFA mechanisms to a single account
PE_L1-3_10_4. Physical access logs 075. Record exceptional events in logs
085. Allow session history queries
PE_L1-3_10_5. Manage physical access 205. Configure PIN
255. Allow access only to the necessary ports
362. Assign MFA mechanisms to a single account
373. Use certificate pinning
PE_L2-3_10_6. Alternative work sites 273. Define a fixed security suite
RA_L2-3_11_2. Vulnerability scan 041. Scan files for malicious code
062. Define standard configurations
155. Application free of malicious code
CA_L2-3_12_2. Plan of action 039. Define maximum file size
161. Define secure default options
164. Use optimized structures
175. Protect pages from clickjacking
262. Verify third-party components
273. Define a fixed security suite
340. Use octet stream downloads
345. Establish protections against overflows
CA_L2-3_12_3. Security control monitoring 075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
378. Use of log management system
SC_L1-3_13_1. Boundary protection 030. Avoid object reutilization
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
206. Configure communication protocols
224. Use secure cryptographic mechanisms
249. Locate access points
250. Manage access points
252. Configure key encryption
253. Restrict network access
255. Allow access only to the necessary ports
257. Access based on user credentials
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
346. Use initialization vectors once
SC_L1-3_13_5. Public-access system separation 259. Segment the organization network
SC_L2-3_13_3. Role separation 095. Define users with privileges
096. Set user's required privileges
SC_L2-3_13_4. Shared resource control 075. Record exceptional events in logs
096. Set user's required privileges
127. Store hashed passwords
176. Restrict system objects
SC_L2-3_13_6. Network communication by exception 341. Use the principle of deny by default
359. Avoid using generic exceptions
SC_L2-3_13_7. Split tunneling 025. Manage concurrent sessions
284. Define maximum number of connections
SC_L2-3_13_8. Data in transit 077. Avoid disclosing technical information
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
SC_L2-3_13_9. Connections termination 023. Terminate inactive user sessions
031. Discard user session data
SC_L2-3_13_10. Key management 145. Protect system cryptographic keys
151. Separate keys for encryption and signatures
252. Configure key encryption
351. Assign unique keys to each device
SC_L2-3_13_13. Mobile code 205. Configure PIN
SC_L2-3_13_15. Communications authenticity 030. Avoid object reutilization
147. Use pre-existent mechanisms
178. Use digital signatures
338. Implement perfect forward secrecy
SC_L2-3_13_16. Data at rest 062. Define standard configurations
146. Remove cryptographic keys from RAM
329. Keep client-side storage without sensitive data
SI_L1-3_14_2. Malicious code protection 041. Scan files for malicious code
155. Application free of malicious code
SI_L1-3_14_4. Update malicious code protection 353. Schedule firmware updates
SI_L1-3_14_5. System & file scanning 041. Scan files for malicious code
323. Exclude unverifiable files
339. Avoid storing sensitive files in the web root
340. Use octet stream downloads
352. Enable trusted execution
SI_L2-3_14_3. Security alerts & advisories 075. Record exceptional events in logs
SI_L2-3_14_7. Identify unauthorized use 075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.