Control | Control or Assessment Objective | Family | Short Name | Description | Additional Considerations | CMMC Level | POA&M Allowed / SPRS Points Deducted | SPRS Notes |
| 3.1.1 | Control | Access Control | Limit system access for users. | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Level 1 | No / -5 | ||
| 3.1.1[a] | Assessment Objective | Access Control | Authorized users are identified. | Is a list of authorized users maintained that defines their identities and roles [a]? | Level 1 | No | ||
| 3.1.1[b] | Assessment Objective | Access Control | Processes acting on behalf of authorized users are identified. | Level 1 | No | |||
| 3.1.1[c] | Assessment Objective | Access Control | Devices (including other systems) authorized to connect to the System are identified. | Level 1 | No | |||
| 3.1.1[d] | Assessment Objective | Access Control | System access is limited to authorized users. | Are account requests authorized before system access is granted [d,e,f]? | Level 1 | No | ||
| 3.1.1[e] | Assessment Objective | Access Control | System access is limited to processes acting on behalf of authorized users. | Are account requests authorized before system access is granted [d,e,f]? | Level 1 | No | ||
| 3.1.1[f] | Assessment Objective | Access Control | System access is limited to authorized devices (including other systems). | Are account requests authorized before system access is granted [d,e,f]? | Level 1 | No | ||
| 3.1.2 | Control | Access Control | Limit system access transactions. | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Level 1 | No / -5 | ||
| 3.1.2[a] | Assessment Objective | Access Control | The types of transactions and functions that authorized users are permitted to execute are defined. | Are access control lists used to limit access to applications and data based on role and/or identity [a]? | Level 1 | No | ||
| 3.1.2[b] | Assessment Objective | Access Control | System access is limited to the defined types of transactions and functions for authorized users. | Is access for authorized users restricted to those parts of the system they are explicitly permitted to use (e.g., a person who only performs word-processing cannot access developer tools) [b]? | Level 1 | No | ||
| 3.1.3 | Control | Access Control | Control CUI. | Control the flow of CUI in accordance with approved authorizations. | Level 2 | Yes / -1 | ||
| 3.1.3[a] | Assessment Objective | Access Control | Information flow control policies are defined. | Level 2 | Yes | |||
| 3.1.3[b] | Assessment Objective | Access Control | Methods and enforcement mechanisms for controlling the flow of CUI are defined. | Level 2 | Yes | |||
| 3.1.3[c] | Assessment Objective | Access Control | Designated sources and destinations (e.g., networks, individuals, and devices) for CUI within systems and between interconnected systems are identified. | Are designated sources of regulated data identified within the system (e.g., internal network and IP address) and between interconnected systems (e.g., external networks, IP addresses, ports, and protocols) [c]? | Level 2 | Yes | ||
| 3.1.3[d] | Assessment Objective | Access Control | Authorizations for controlling the flow of CUI are defined. | Are authorizations defined for each source and destination within the system and between interconnected systems (e.g., allow or deny rules for each combination of source and destination) [d]? | Level 2 | Yes | ||
| 3.1.3[e] | Assessment Objective | Access Control | Approved authorizations for controlling the flow of CUI are enforced. | Are approved authorizations for controlling the flow of regulated data enforced within the system and between interconnected systems (e.g., traffic between authorized sources and destinations is allowed and traffic between unauthorized sources and destinations is denied) [e]? | Level 2 | Yes | ||
| 3.1.4 | Control | Access Control | Separate user duties. | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Level 2 | Yes / -1 | ||
| 3.1.4[a] | Assessment Objective | Access Control | The duties of individuals requiring separation to reduce the risk of malevolent activity are defined. | Does system documentation identify the system functions or processes that require separation of duties (e.g., function combinations that represent a conflict of interest or an over-allocation of security privilege for one individual) [a]? | Level 2 | Yes | ||
| 3.1.4[b] | Assessment Objective | Access Control | Organization-defined duties of individuals requiring separation are separated. | Level 2 | Yes | |||
| 3.1.4[c] | Assessment Objective | Access Control | Separate accounts for individuals whose duties and accesses must be separated to reduce the risk of malevolent activity or collusion are established | Level 2 | Yes | |||
| 3.1.5 | Control | Access Control | Least privilege. | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Level 2 | No / -3 | ||
| 3.1.5[a] | Assessment Objective | Access Control | Privileged accounts are identified. | Are privileged accounts documented and is when they may be used defined [a]? | Level 2 | No | ||
| 3.1.5[b] | Assessment Objective | Access Control | Access to privileged accounts is authorized in accordance with the principle of least privilege. | Are users assigned privileged accounts to perform their job functions only when it is necessary [b]? | Level 2 | No | ||
| 3.1.5[c] | Assessment Objective | Access Control | Security functions are identified. | Are necessary security functions identified (e.g., access control configuration, system configuration settings, or privileged account lists) that must be managed through the use of privileged accounts [c]? | Level 2 | No | ||
| 3.1.5[d] | Assessment Objective | Access Control | Access to security functions is authorized in accordance with the principle of least privilege. | Is access to privileged functions and security information restricted to authorized employees [d]? | Level 2 | No | ||
| 3.1.6 | Control | Access Control | Non-privileged accounts. | Use non-privileged accounts or roles when accessing nonsecurity functions. | Level 2 | Yes / -1 | ||
| 3.1.6[a] | Assessment Objective | Access Control | Nonsecurity functions are identified. | Are nonsecurity functions and non-privileged roles defined [a,b]? | Level 2 | Yes | ||
| 3.1.6[b] | Assessment Objective | Access Control | Users are required to use non-privileged accounts or roles when accessing nonsecurity functions. | Are nonsecurity functions and non-privileged roles defined [a,b]? | Level 2 | Yes | ||
| 3.1.7 | Control | Access Control | Non-privileged user activity. | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Level 2 | Yes / -1 | ||
| 3.1.7[a] | Assessment Objective | Access Control | Privileged functions are defined. | Are the privileged system functions documented (e.g., functions that involve the control, monitoring or administration of the system, including security functions and log management) [a]? | Level 2 | Yes | ||
| 3.1.7[b] | Assessment Objective | Access Control | Non-privileged users are defined. | Level 2 | Yes | |||
| 3.1.7[c] | Assessment Objective | Access Control | Non-privileged users are prevented from executing privileged functions. | Do documented procedures describe the configuration of the system to ensure system roles do not grant non-privileged users the ability to execute privileged functions [c]? | Level 2 | Yes | ||
| 3.1.7[d] | Assessment Objective | Access Control | The execution of privileged functions is captured in audit logs. | Is it possible to identify who enabled privileges at any particular time [d]? | Level 2 | Yes | ||
| 3.1.8 | Control | Access Control | Limit unsuccessful logons. | Limit unsuccessful logon attempts. | Level 2 | Yes / -1 | ||
| 3.1.8[a] | Assessment Objective | Access Control | The means of limiting unsuccessful logon attempts is defined. | Is there a defined threshold for the number of unsuccessful logon attempts for which the system takes action to prevent additional attempts [a]? | Level 2 | Yes | ||
| 3.1.8[b] | Assessment Objective | Access Control | The defined means of limiting unsuccessful logon attempts is implemented. | Is a mechanism for limiting the number of unsuccessful logon attempts implemented and does it use the defined threshold [b]? | Level 2 | Yes | ||
| 3.1.9 | Control | Access Control | Provide privacy & security notices. | Provide privacy and security notices consistent with applicable CUI rules. | Level 2 | Yes / -1 | ||
| 3.1.9[a] | Assessment Objective | Access Control | Privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category | Are objectives identified for privacy and security notices, and does the implementation satisfy the required objectives [a,b]? Discrepancies may indicate a deficient process and/or an incomplete objective for the overall requirement. | Level 2 | Yes | ||
| 3.1.9[b] | Assessment Objective | Access Control | Privacy and security notices are displayed. | Are objectives identified for privacy and security notices, and does the implementation satisfy the required objectives [a,b]? Discrepancies may indicate a deficient process and/or an incomplete objective for the overall requirement. | Level 2 | Yes | ||
| 3.1.10 | Control | Access Control | Use session Lock. | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. | Level 2 | Yes / -1 | ||
| 3.1.10[a] | Assessment Objective | Access Control | The period of inactivity after which the System initiates a session lock is defined. | If session locks are not managed centrally, how are all computer users made aware of the requirements and how to configure them [a,b,c]? | Level 2 | Yes | ||
| 3.1.10[b] | Assessment Objective | Access Control | Access to the System and viewing of data is prevented by initiating a session lock after the defined period of inactivity. | If session locks are not managed centrally, how are all computer users made aware of the requirements and how to configure them [a,b,c]? | Level 2 | Yes | ||
| 3.1.10[c] | Assessment Objective | Access Control | Previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. | If session locks are not managed centrally, how are all computer users made aware of the requirements and how to configure them [a,b,c]? Does the session lock hide previously visible information (e.g., replacing what was visible with a lock screen or screensaver that does not include sensitive information) [c]? | Level 2 | Yes | ||
| 3.1.11 | Control | Access Control | User session termination. | Terminate (automatically) a user session after a defined condition. | Level 2 | Yes / -1 | ||
| 3.1.11[a] | Assessment Objective | Access Control | Conditions requiring a user session to terminate are defined. | Are the conditions in which a user session must be terminated described (e.g., after a period of inactivity or after a defined time limit) [a]? | Level 2 | Yes | ||
| 3.1.11[b] | Assessment Objective | Access Control | A user session is automatically terminated after any of the defined conditions occur. | Are procedures documented that describe how to configure the system to enable automatic termination of user sessions after any of the defined conditions occur [b]? | Level 2 | Yes | ||
| 3.1.12 | Control | Access Control | Remote access control. | Monitor and control remote access sessions. | Level 2 | No / -5 | Do not subtract points if remote access not permitted | |
| 3.1.12[a] | Assessment Objective | Access Control | Remote access sessions are permitted. | Do policies identify when remote access is permitted and what methods must be used [a,b]? | Level 2 | No | ||
| 3.1.12[b] | Assessment Objective | Access Control | The types of permitted remote access are identified. | Do policies identify when remote access is permitted and what methods must be used [a,b]? | Level 2 | No | ||
| 3.1.12[c] | Assessment Objective | Access Control | Remote access sessions are controlled. | Are systems configured to permit only approved remote access sessions (e.g., disallow remote access sessions by default) [c]? | Level 2 | No | ||
| 3.1.12[d] | Assessment Objective | Access Control | Remote access sessions are monitored. | Are automated or manual mechanisms employed for monitoring remote connections? If the monitoring is manual, does it occur at a frequency commensurate with the level of risk [d]? | Level 2 | No | ||
| 3.1.13 | Control | Access Control | Employ cryptographic mechanisms. | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Level 2 | No / -5 | Do not subtract points if remote access not permitted | |
| 3.1.13[a] | Assessment Objective | Access Control | Cryptographic mechanisms to protect the confidentiality of remote access sessions are identified. | Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption algorithms) defined and implemented [a,b]? Note that simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. | Level 2 | No | ||
| 3.1.13[b] | Assessment Objective | Access Control | Cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. | Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption algorithms) defined and implemented [a,b]? Note that simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. | Level 2 | No | ||
| 3.1.14 | Control | Access Control | Route remote access via control points. | Route remote access via managed access control points. | Level 2 | Yes / -1 | ||
| 3.1.14[a] | Assessment Objective | Access Control | Managed access control points are identified and implemented. | How many managed access control points are implemented [a]? | Level 2 | Yes | ||
| 3.1.14[b] | Assessment Objective | Access Control | Remote access is routed through managed network access control points. | Is all remote access routed through the managed access control points [b]? | Level 2 | Yes | ||
| 3.1.15 | Control | Access Control | Authorize remote execution of privileged commands. | Authorize remote execution of privileged commands and remote access to security-relevant information. | Level 2 | Yes / -1 | ||
| 3.1.15[a] | Assessment Objective | Access Control | Privileged commands authorized for remote execution are identified. | Does system documentation identify system administration or security functions that can be executed remotely [a]? | Level 2 | Yes | ||
| 3.1.15[b] | Assessment Objective | Access Control | Security-relevant information authorized to be accessed remotely is identified. | Level 2 | Yes | |||
| 3.1.15[c] | Assessment Objective | Access Control | The execution of the identified privileged commands via remote access is authorized. | Is execution of the identified privileged commands via remote access only authorized for documented operational needs [c]? | Level 2 | Yes | ||
| 3.1.15[d] | Assessment Objective | Access Control | Access to the identified security-relevant information via remote access is authorized. | Level 2 | Yes | |||
| 3.1.16 | Control | Access Control | Authorize wireless access prior to use. | Authorize wireless access prior to allowing such connections. | Level 2 | No / -5 | Do not subtract points if wireless access not permitted | |
| 3.1.16[a] | Assessment Objective | Access Control | Wireless access points are identified. | Is an updated list of approved network devices providing wireless access to the system maintained [a]? | Level 2 | No | ||
| 3.1.16[b] | Assessment Objective | Access Control | Wireless access is authorized prior to allowing such connections. | Are network devices providing wireless access configured to require users or devices be authorized prior to permitting a wireless connection [b]? | Level 2 | No | ||
| 3.1.17 | Control | Access Control | Protect wireless access. | Protect wireless access using authentication and encryption. | Level 2 | No / -5 | Do not subtract points if wireless access not permitted | |
| 3.1.17[a] | Assessment Objective | Access Control | Wireless access to the System is protected using encryption. | Is wireless access limited only to authenticated and authorized users (e.g., required to supply a username and password) [a]? | Level 2 | No | ||
| 3.1.17[b] | Assessment Objective | Access Control | Wireless access to the System is protected using authentication. | Is wireless access encrypted using FIPS-validated cryptography? Note that simply using an approved algorithm is not sufficient; the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140 [b]. | Level 2 | No | ||
| 3.1.18 | Control | Access Control | Control connection of mobile devices. | Control connection of mobile devices. | Level 2 | No / -5 | Do not subtract points if connection of mobile devices is not permitted | |
| 3.1.18[a] | Assessment Objective | Access Control | Mobile devices that process, store, or transmit CUI are identified. | Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained [a,b]? | Level 2 | No | ||
| 3.1.18[b] | Assessment Objective | Access Control | The connection of mobile devices is authorized. | Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained [a,b]? | Level 2 | No | ||
| 3.1.18[c] | Assessment Objective | Access Control | Mobile device connections are monitored and logged. | Level 2 | No | |||
| 3.1.19 | Control | Access Control | Encrypt CUI on mobile devices. | Encrypt CUI on mobile devices and mobile computing platforms. | Level 2 | No / -3 | Exposure limited to CUI on mobile platform | |
| 3.1.19[a] | Assessment Objective | Access Control | Mobile devices and mobile computing platforms that process, store, or transmit CUI are identified. | Is a list maintained of mobile devices and mobile computing platforms that are permitted to process, store, or transmit CUI [a]? | Level 2 | No | ||
| 3.1.19[b] | Assessment Objective | Access Control | Encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. | Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]? | Level 2 | No | ||
| 3.1.20 | Control | Access Control | Verify/control use of external systems. | Verify and control/limit connections to and use of external systems. | Level 1 | Yes / -1 | ||
| 3.1.20[a] | Assessment Objective | Access Control | Connections to external systems are identified. | Are all connections to external systems outside of the assessment scope identified [a]? | Level 1 | Yes | ||
| 3.1.20[b] | Assessment Objective | Access Control | Use of external systems is identified. | Are external systems (e.g., systems managed by OSAs, partners, or vendors; personal devices) that are permitted to connect to or make use of organizational systems identified [b]? | Level 1 | Yes | ||
| 3.1.20[c] | Assessment Objective | Access Control | Connections to external systems are verified. | Are methods employed to ensure that only authorized connections are being made to external systems (e.g., requiring log-ins or certificates, access from a specific IP address, or access via Virtual Private Network (VPN)) [c,e]? | Level 1 | Yes | ||
| 3.1.20[d] | Assessment Objective | Access Control | Use of external systems is verified. | Are methods employed to confirm that only authorized external systems are connecting (e.g., if employees are receiving company email on personal cell phones, is the OSA checking to verify that only known/expected devices are connecting) [d]? | Level 1 | Yes | ||
| 3.1.20[e] | Assessment Objective | Access Control | Connections to external systems are controlled/limited. | Are methods employed to ensure that only authorized connections are being made to external systems (e.g., requiring log-ins or certificates, access from a specific IP address, or access via Virtual Private Network (VPN)) [c,e]? | Level 1 | Yes | ||
| 3.1.20[f] | Assessment Objective | Access Control | Use of external systems is controlled/limited. | Is the use of external systems limited, including by policy or physical control [f]? | Level 1 | Yes | ||
| 3.1.21 | Control | Access Control | Limit use of portable storage devices on external systems. | Limit use of organizational portable storage devices on external systems. | Level 2 | Yes / -1 | ||
| 3.1.21[a] | Assessment Objective | Access Control | Use of organizational portable storage devices containing CUI on external systems is identified and documented. | Are the portable storage devices authorized for external use identified and documented [a]? | Level 2 | Yes | ||
| 3.1.21[b] | Assessment Objective | Access Control | Limits on the use of organizational portable storage devices containing CUI on external systems are defined. | Are the circumstances defined in which portable storage devices containing CUI may be used on external systems (e.g., with management approval) [b]? | Level 2 | Yes | ||
| 3.1.21[c] | Assessment Objective | Access Control | Use of organizational portable storage devices containing CUI on external systems is limited as defined. | Level 2 | Yes | |||
| 3.1.22 | Control | Access Control | Control CUI posted or processed on publicly systems. | Control CUI posted or processed on publicly accessible systems. | Level 1 | Yes / -1 | ||
| 3.1.22[a] | Assessment Objective | Access Control | Individuals authorized to post or process information on publicly accessible systems are identified. | Level 1 | Yes | |||
| 3.1.22[b] | Assessment Objective | Access Control | Procedures to ensure CUI is not posted or processed on publicly accessible systems are identified. | Level 1 | Yes | |||
| 3.1.22[c] | Assessment Objective | Access Control | A review process in in place prior to posting of any content to publicly accessible systems. | Does information on externally facing systems (i.e., publicly accessible) have a documented approval chain for public release [c]? | Level 1 | Yes | ||
| 3.1.22[d] | Assessment Objective | Access Control | Content on publicly accessible information systems is reviewed to ensure that it does not include CUI. | Level 1 | Yes | |||
| 3.1.22[e] | Assessment Objective | Access Control | Mechanisms are in place to remove and address improper posting of CUI. | Level 1 | Yes | |||
| 3.2.1 | Control | Awareness and Training | Ensure personnel are aware of security policies and procedures. | Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. | Level 2 | No / -5 | ||
| 3.2.1[a] | Assessment Objective | Awareness and Training | Security risks associated with organizational activities involving CUI are identified. | Level 2 | No | |||
| 3.2.1[b] | Assessment Objective | Awareness and Training | Policies, standards, and procedures related to the security of the System are identified. | Level 2 | No | |||
| 3.2.1[c] | Assessment Objective | Awareness and Training | Managers, systems administrators, and users of the System are made aware of the security risks associated with their activities. | Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]? | Level 2 | No | ||
| 3.2.1[d] | Assessment Objective | Awareness and Training | Managers, systems administrators, and users of the System are made aware of the applicable policies, standards, and procedures related to the security of the System. | Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]? | Level 2 | No | ||
| 3.2.2 | Control | Awareness and Training | Ensure personnel have security training. | Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. | Level 2 | No / -5 | ||
| 3.2.2[a] | Assessment Objective | Awareness and Training | Information security-related duties, roles, and responsibilities are defined. | Are the duties, roles, and responsibilities that impact, directly or indirectly, the information security of the company or its systems defined and documented [a]? | Level 2 | No | ||
| 3.2.2[b] | Assessment Objective | Awareness and Training | Information security-related duties, roles, and responsibilities are assigned to designated personnel. | Do information security-related tasks have accountable owners, and is a strictly limited group of individuals assigned to perform them [b]? | Level 2 | No | ||
| 3.2.2[c] | Assessment Objective | Awareness and Training | Personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities. | Are personnel who are assigned information security-related duties, roles, and responsibilities trained on those responsibilities, including the security requirements unique or inherent to their roles or responsibilities [c]? | Level 2 | No | ||
| 3.2.3 | Control | Awareness and Training | Provide insider threat security training. | Provide security awareness training on recognizing and reporting potential indicators of insider threat. | Level 2 | Yes / -1 | ||
| 3.2.3[a] | Assessment Objective | Awareness and Training | Potential indicators associated with insider threats are identified. | Do training materials include potential indicators associated with insider threats (e.g., repeated security violations, unusual work hours, unexpected significant transfers of data, suspicious contacts, concerning behaviors outside the workplace) [a,b]? | Level 2 | Yes | ||
| 3.2.3[b] | Assessment Objective | Awareness and Training | Security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. | Do training materials include potential indicators associated with insider threats (e.g., repeated security violations, unusual work hours, unexpected significant transfers of data, suspicious contacts, concerning behaviors outside the workplace) [a,b]? | Level 2 | Yes | ||
| 3.3.1 | Control | Audit and Accountability | Create and retain system audit logs. | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Level 2 | No / -5 | ||
| 3.3.1[a] | Assessment Objective | Audit and Accountability | Audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. | Level 2 | No | |||
| 3.3.1[b] | Assessment Objective | Audit and Accountability | The content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined. | Level 2 | No | |||
| 3.3.1[c] | Assessment Objective | Audit and Accountability | Audit records are created (generated). | Level 2 | No | |||
| 3.3.1[d] | Assessment Objective | Audit and Accountability | Audit records, once created, contain the defined content. | Level 2 | No | |||
| 3.3.1[e] | Assessment Objective | Audit and Accountability | Retention requirements for audit records are defined. | Are audit log retention requirements appropriate to the system and its associated level of risk [e]? | Level 2 | No | ||
| 3.3.1[f] | Assessment Objective | Audit and Accountability | Audit records are retained as defined. | Level 2 | No | |||
| 3.3.2 | Control | Audit and Accountability | Ensure traceability of system user activity. | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Level 2 | No / -3 | ||
| 3.3.2[a] | Assessment Objective | Audit and Accountability | The content of the audit records needed to support the ability to uniquely trace users to their actions is defined. | Are users uniquely traced and held responsible for unauthorized actions [a]? | Level 2 | No | ||
| 3.3.2[b] | Assessment Objective | Audit and Accountability | Audit records, once created, contain the defined content. | Does the system protect against an individual denying having performed an action (non- repudiation) [b]? | Level 2 | No | ||
| 3.3.3 | Control | Audit and Accountability | Review and update logged events. | Review and update logged events. | Level 2 | Yes / -1 | ||
| 3.3.3[a] | Assessment Objective | Audit and Accountability | A process for determining when to review logged events is defined. | Do documented processes include methods for determining when to review logged event types (i.e., regular frequency, after incidents, after major system changes) [a]? | Level 2 | Yes | ||
| 3.3.3[b] | Assessment Objective | Audit and Accountability | Event types being logged are reviewed in accordance with the defined review process. | Do documented processes include methods for reviewing event types being logged (i.e., based on specific threat, use case, retention capacity, current utilization, and/or newly added system component or functionality) [b]? | Level 2 | Yes | ||
| 3.3.3[c] | Assessment Objective | Audit and Accountability | Event types being logged are updated based on the review. | Level 2 | Yes | |||
| 3.3.4 | Control | Audit and Accountability | Alert in the event of an audit logging failure. | Alert in the event of an audit logging process failure. | Level 2 | Yes / -1 | ||
| 3.3.4[a] | Assessment Objective | Audit and Accountability | Personnel or roles to be alerted in the event of an audit logging process failure are identified. | Level 2 | Yes | |||
| 3.3.4[b] | Assessment Objective | Audit and Accountability | Types of audit logging process failures for which alert will be generated are defined. | Level 2 | Yes | |||
| 3.3.4[c] | Assessment Objective | Audit and Accountability | Identified personnel or roles are alerted in the event of an audit logging process failure. | Level 2 | Yes | |||
| 3.3.5 | Control | Audit and Accountability | Correlate audit records with incident information. | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Level 2 | No / -5 | ||
| 3.3.5[a] | Assessment Objective | Audit and Accountability | Audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined. | Level 2 | No | |||
| 3.3.5[b] | Assessment Objective | Audit and Accountability | Defined audit record review, analysis, and reporting processes are correlated. | Are mechanisms used across different repositories to integrate audit review, analysis, correlation, and reporting processes [b]? | Level 2 | No | ||
| 3.3.6 | Control | Audit and Accountability | Provide audit record reduction and report generation. | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Level 2 | Yes / -1 | ||
| 3.3.6[a] | Assessment Objective | Audit and Accountability | An audit record reduction capability that supports on-demand analysis is provided. | Level 2 | Yes | |||
| 3.3.6[b] | Assessment Objective | Audit and Accountability | A report generation capability that supports on-demand reporting is provided. | Does the system support on-demand audit review, analysis, and reporting requirements and after-the-fact security investigations [b]? | Level 2 | Yes | ||
| 3.3.7 | Control | Audit and Accountability | Compares & synchronize system clocks with audit records. | Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. | Level 2 | Yes / -1 | ||
| 3.3.7[a] | Assessment Objective | Audit and Accountability | Internal system clocks are used to generate time stamps for audit records. | Level 2 | Yes | |||
| 3.3.7[b] | Assessment Objective | Audit and Accountability | An authoritative source with which to compare and synchronize internal system clocks is specified. | Level 2 | Yes | |||
| 3.3.7[c] | Assessment Objective | Audit and Accountability | Internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source. | Can the records’ time stamps map to Coordinated Universal Time (UTC), compare system clocks with authoritative Network Time Protocol (NTP) servers, and synchronize system clocks when the time difference is greater than 1 second [c]? | Level 2 | Yes | ||
| 3.3.8 | Control | Audit and Accountability | Protect audit logs from unauthorized access & modification. | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | Level 2 | Yes / -1 | ||
| 3.3.8[a] | Assessment Objective | Audit and Accountability | Audit information is protected from unauthorized access. | Is there a list of authorized users for audit systems and tools [a]? | Level 2 | Yes | ||
| 3.3.8[b] | Assessment Objective | Audit and Accountability | Audit information is protected from unauthorized modification. | Level 2 | Yes | |||
| 3.3.8[c] | Assessment Objective | Audit and Accountability | Audit information is protected from unauthorized deletion. | Level 2 | Yes | |||
| 3.3.8[d] | Assessment Objective | Audit and Accountability | Audit logging tools are protected from unauthorized access. | Level 2 | Yes | |||
| 3.3.8[e] | Assessment Objective | Audit and Accountability | Audit logging tools are protected from unauthorized modification. | Level 2 | Yes | |||
| 3.3.8[f] | Assessment Objective | Audit and Accountability | Audit logging tools are protected from unauthorized deletion. | Level 2 | Yes | |||
| 3.3.9 | Control | Audit and Accountability | Limit mgmt. of audit logging functionality to a subset of privileged users. | Limit management of audit logging functionality to a subset of privileged users. | Level 2 | Yes / -1 | ||
| 3.3.9[a] | Assessment Objective | Audit and Accountability | A subset of privileged users granted access to manage audit logging functionality is defined. | Level 2 | Yes | |||
| 3.3.9[b] | Assessment Objective | Audit and Accountability | Management of audit logging functionality is limited to the defined subset of privileged users. | Are audit records of nonlocal accesses to privileged accounts and the execution of privileged functions protected [b]? | Level 2 | Yes | ||
| 3.4.1 | Control | Configuration Management | Maintain configurations and inventories of organizational assets. | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Level 2 | No / -5 | ||
| 3.4.1[a] | Assessment Objective | Configuration Management | A baseline configuration is established. | Do baseline configurations include software versions and patch level, configuration parameters, network information, and communications with connected systems [a,b]? | Level 2 | No | ||
| 3.4.1[b] | Assessment Objective | Configuration Management | The baseline configuration includes hardware, software, firmware, and documentation. | Do baseline configurations include software versions and patch level, configuration parameters, network information, and communications with connected systems [a,b]? | Level 2 | No | ||
| 3.4.1[c] | Assessment Objective | Configuration Management | The baseline configuration is maintained (reviewed and updated) throughout the System development life cycle. | Are baseline configurations updated as needed to accommodate security risks or software changes [c]? | Level 2 | No | ||
| 3.4.1[d] | Assessment Objective | Configuration Management | A system inventory is established. | Level 2 | No | |||
| 3.4.1[e] | Assessment Objective | Configuration Management | The system inventory includes hardware, software, firmware, and documentation. | Level 2 | No | |||
| 3.4.1[f] | Assessment Objective | Configuration Management | The inventory is maintained (reviewed and updated) throughout the System development life cycle. | Level 2 | No | |||
| 3.4.2 | Control | Configuration Management | Establish and enforce security configuration settings. | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Level 2 | No / -5 | ||
| 3.4.2[a] | Assessment Objective | Configuration Management | Security configuration settings for information technology products employed in the System are established and included in the baseline configuration. | Do security settings reflect the most restrictive settings appropriate [a]? | Level 2 | No | ||
| 3.4.2[b] | Assessment Objective | Configuration Management | Security configuration settings for information technology products employed in the System are enforced. | Are changes or deviations to security settings documented [b]? | Level 2 | No | ||
| 3.4.3 | Control | Configuration Management | Manage changes to organizational systems. | Track, review, approve or disapprove, and log changes to organizational systems. | Level 2 | Yes / -1 | ||
| 3.4.3[a] | Assessment Objective | Configuration Management | Changes to the System are tracked. | Are changes to the system authorized by company management and documented [a,b,c,d]? | Level 2 | Yes | ||
| 3.4.3[b] | Assessment Objective | Configuration Management | Changes to the System are reviewed. | Are changes to the system authorized by company management and documented [a,b,c,d]? | Level 2 | Yes | ||
| 3.4.3[c] | Assessment Objective | Configuration Management | Changes to the System are approved or disapproved. | Are changes to the system authorized by company management and documented [a,b,c,d]? | Level 2 | Yes | ||
| 3.4.3[d] | Assessment Objective | Configuration Management | Changes to the System are logged. | Are changes to the system authorized by company management and documented [a,b,c,d]? | Level 2 | Yes | ||
| 3.4.4 | Control | Configuration Management | Analyze the security impact of changes prior to implementation. | Analyze the security impact of changes prior to implementation. | Level 2 | Yes / -1 | ||
| 3.4.4[a] | Assessment Objective | Configuration Management | The security impact of changes to each organizational system is analyzed prior to implementation. | Are configuration changes tested, validated, and documented before installing them on the operational system [a]? | Level 2 | Yes | ||
| 3.4.5 | Control | Configuration Management | Physical and logical access restrictions. | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Level 2 | No / -5 | ||
| 3.4.5[a] | Assessment Objective | Configuration Management | Physical access restrictions associated with changes to the System are defined. | Are only employees who are approved to make physical or logical changes on systems allowed to do so [a,d,e,h]? | Level 2 | No | ||
| 3.4.5[b] | Assessment Objective | Configuration Management | Physical access restrictions associated with changes to the System are documented. | Does all change documentation include the name of the authorized employee making the change [b,d,f,h]? | Level 2 | No | ||
| 3.4.5[c] | Assessment Objective | Configuration Management | Physical access restrictions associated with changes to the System are approved. | Level 2 | No | |||
| 3.4.5[d] | Assessment Objective | Configuration Management | Physical access restrictions associated with changes to the System are enforced. | Are only employees who are approved to make physical or logical changes on systems allowed to do so [a,d,e,h]? Does all change documentation include the name of the authorized employee making the change [b,d,f,h]? | Level 2 | No | ||
| 3.4.5[e] | Assessment Objective | Configuration Management | Logical access restrictions associated with changes to the System are defined. | Are only employees who are approved to make physical or logical changes on systems allowed to do so [a,d,e,h]? | Level 2 | No | ||
| 3.4.5[f] | Assessment Objective | Configuration Management | Logical access restrictions associated with changes to the System are documented. | Does all change documentation include the name of the authorized employee making the change [b,d,f,h]? | Level 2 | No | ||
| 3.4.5[g] | Assessment Objective | Configuration Management | Logical access restrictions associated with changes to the System are approved. | Level 2 | No | |||
| 3.4.5[h] | Assessment Objective | Configuration Management | Logical access restrictions associated with changes to the System are enforced. | Are only employees who are approved to make physical or logical changes on systems allowed to do so [a,d,e,h]? Does all change documentation include the name of the authorized employee making the change [b,d,f,h]? | Level 2 | No | ||
| 3.4.6 | Control | Configuration Management | Employ the principle of least functionality. | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | Level 2 | No / -5 | ||
| 3.4.6[a] | Assessment Objective | Configuration Management | Essential system capabilities are defined based on the principle of least functionality. | Are the roles and functions for each system identified along with the software and services required to perform those functions [a]? | Level 2 | No | ||
| 3.4.6[b] | Assessment Objective | Configuration Management | The system is configured to provide only the defined essential capabilities. | Is the information system configured to exclude any function not needed in the operational environment [b]? | Level 2 | No | ||
| 3.4.7 | Control | Configuration Management | Prevent use of nonessential items. | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Level 2 | No / -5 | ||
| 3.4.7[a] | Assessment Objective | Configuration Management | Essential programs are defined. | Are only applications and services that are needed for the function of the system configured and enabled [a,b,c,d,e,f]? | Level 2 | No | ||
| 3.4.7[b] | Assessment Objective | Configuration Management | The use of nonessential programs is defined. | Are only applications and services that are needed for the function of the system configured and enabled [a,b,c,d,e,f]? | Level 2 | No | ||
| 3.4.7[c] | Assessment Objective | Configuration Management | The use of nonessential programs is restricted, disabled, or prevented as defined. | Are only applications and services that are needed for the function of the system configured and enabled [a,b,c,d,e,f]? | Level 2 | No | ||
| 3.4.7[d] | Assessment Objective | Configuration Management | Essential functions are defined. | Are only applications and services that are needed for the function of the system configured and enabled [a,b,c,d,e,f]? | Level 2 | No | ||
| 3.4.7[e] | Assessment Objective | Configuration Management | The use of nonessential functions is defined. | Are only applications and services that are needed for the function of the system configured and enabled [a,b,c,d,e,f]? | Level 2 | No | ||
| 3.4.7[f] | Assessment Objective | Configuration Management | The use of nonessential functions is restricted, disabled, or prevented as defined. | Are only applications and services that are needed for the function of the system configured and enabled [a,b,c,d,e,f]? | Level 2 | No | ||
| 3.4.7[g] | Assessment Objective | Configuration Management | Essential ports are defined. | Are only those ports and protocols necessary to provide the service of the information system configured for that system [g,h,i,j,k,l]? | Level 2 | No | ||
| 3.4.7[h] | Assessment Objective | Configuration Management | The use of nonessential ports is defined. | Are only those ports and protocols necessary to provide the service of the information system configured for that system [g,h,i,j,k,l]? | Level 2 | No | ||
| 3.4.7[i] | Assessment Objective | Configuration Management | The use of nonessential ports is restricted, disabled, or prevented as defined. | Are only those ports and protocols necessary to provide the service of the information system configured for that system [g,h,i,j,k,l]? | Level 2 | No | ||
| 3.4.7[j] | Assessment Objective | Configuration Management | Essential protocols are defined. | Are only those ports and protocols necessary to provide the service of the information system configured for that system [g,h,i,j,k,l]? | Level 2 | No | ||
| 3.4.7[k] | Assessment Objective | Configuration Management | The use of nonessential protocols is defined. | Are only those ports and protocols necessary to provide the service of the information system configured for that system [g,h,i,j,k,l]? | Level 2 | No | ||
| 3.4.7[l] | Assessment Objective | Configuration Management | The use of nonessential protocols is restricted, disabled, or prevented as defined. | Are only those ports and protocols necessary to provide the service of the information system configured for that system [g,h,i,j,k,l]? | Level 2 | No | ||
| 3.4.7[m] | Assessment Objective | Configuration Management | Essential services are defined. | Are systems services reviewed to determine what is essential for the function of that system [m]? | Level 2 | No | ||
| 3.4.7[n] | Assessment Objective | Configuration Management | The use of nonessential services is defined. | Level 2 | No | |||
| 3.4.7[o] | Assessment Objective | Configuration Management | The use of nonessential services is restricted, disabled, or prevented as defined. | Level 2 | No | |||
| 3.4.8 | Control | Configuration Management | Apply deny-by-exception to all SW. | Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. | Level 2 | No / -5 | ||
| 3.4.8[a] | Assessment Objective | Configuration Management | A policy specifying whether whitelisting or blacklisting is to be implemented is specified. | Is the information system configured to only allow authorized software to run [a,b,c]? | Level 2 | No | ||
| 3.4.8[b] | Assessment Objective | Configuration Management | The software allowed to execute under whitelisting or denied use under blacklisting is specified. | Is the information system configured to only allow authorized software to run [a,b,c]? | Level 2 | No | ||
| 3.4.8[c] | Assessment Objective | Configuration Management | Whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified. | Is the information system configured to only allow authorized software to run [a,b,c]? | Level 2 | No | ||
| 3.4.9 | Control | Configuration Management | Control and monitor user-installed software. | Control and monitor user-installed software. | Level 2 | Yes / -1 | ||
| 3.4.9[a] | Assessment Objective | Configuration Management | A policy for controlling the installation of software by users is established. | Are user controls in place to prohibit the installation of unauthorized software [a]? | Level 2 | Yes | ||
| 3.4.9[b] | Assessment Objective | Configuration Management | Installation of software by users is controlled based on the established policy. | Is all software in use on the information systems approved [b]? | Level 2 | Yes | ||
| 3.4.9[c] | Assessment Objective | Configuration Management | Installation of software by users is monitored. | Is there a mechanism in place to monitor the types of software a user is permitted to download (e.g., is there a white list of approved software) [c]? | Level 2 | Yes | ||
| 3.5.1 | Control | Identification and Authentication | Identify system users, processes acting on behalf of users, and devices. | Identify system users, processes acting on behalf of users, and devices. | Level 1 | No / -5 | ||
| 3.5.1[a] | Assessment Objective | Identification and Authentication | System users are identified. | Are unique identifiers issued to individual users (e.g., usernames) [a]? | Level 1 | No | ||
| 3.5.1[b] | Assessment Objective | Identification and Authentication | Processes acting on behalf of users are identified. | Are the processes and service accounts that an authorized user initiates identified (e.g., scripts, automatic updates, configuration updates, vulnerability scans) [b]? | Level 1 | No | ||
| 3.5.1[c] | Assessment Objective | Identification and Authentication | Devices accessing the System are identified. | Are unique device identifiers used for devices that access the system identified [c]? | Level 1 | No | ||
| 3.5.2 | Control | Identification and Authentication | Authenticate users, processes, or devices. | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems | Level 1 | No / -5 | ||
| 3.5.2[a] | Assessment Objective | Identification and Authentication | The identity of each user is authenticated or verified as a prerequisite to system access. | Are unique authenticators used to verify user identities (e.g., passwords) [a]? | Level 1 | No | ||
| 3.5.2[b] | Assessment Objective | Identification and Authentication | The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access. | An example of a process acting on behalf of users could be a script that logs in as a person or service account [b]. Can the OSA show that it maintains a record of all of those service accounts for use when reviewing log data or responding to an incident? | Level 1 | No | ||
| 3.5.2[c] | Assessment Objective | Identification and Authentication | The identity of each device accessing or connecting to the System is authenticated or verified as a prerequisite to system access. | Are device identifiers used in authentication processes (e.g., MAC address, non-anonymous computer name, certificates) [c]? | Level 1 | No | ||
| 3.5.3 | Control | Identification and Authentication | Use MFA. | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | Level 2 | No / -5 or -3 | Subtract 5 points if MFA not implemented. Subtract 3 points if implemented for remote and privileged users, but not the general user | |
| 3.5.3[a] | Assessment Objective | Identification and Authentication | Privileged accounts are identified. | Level 2 | No | |||
| 3.5.3[b] | Assessment Objective | Identification and Authentication | Multifactor authentication is implemented for local access to privileged accounts. | Does the system uniquely identify and authenticate users, including privileged accounts [b,c,d]? | Level 2 | No | ||
| 3.5.3[c] | Assessment Objective | Identification and Authentication | Multifactor authentication is implemented for network access to privileged accounts. | Does the system uniquely identify and authenticate users, including privileged accounts [b,c,d]? | Level 2 | No | ||
| 3.5.3[d] | Assessment Objective | Identification and Authentication | Multifactor authentication is implemented for network access to non-privileged accounts. | Does the system uniquely identify and authenticate users, including privileged accounts [b,c,d]? | Level 2 | No | ||
| 3.5.4 | Control | Identification and Authentication | Employ replay-resistant authentication mechanisms. | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | Level 2 | Yes / -1 | ||
| 3.5.4[a] | Assessment Objective | Identification and Authentication | Replay-resistant authentication mechanisms are implemented for all network account access to privileged and non-privileged accounts. | Are only anti-replay authentication mechanisms used [a]? | Level 2 | Yes | ||
| 3.5.5 | Control | Identification and Authentication | Prevent reuse of identifiers for defined period. | Prevent reuse of identifiers for a defined period. | Level 2 | Yes / -1 | ||
| 3.5.5[a] | Assessment Objective | Identification and Authentication | A period within which identifiers cannot be reused is defined. | Level 2 | Yes | |||
| 3.5.5[b] | Assessment Objective | Identification and Authentication | Reuse of identifiers is prevented within the defined period. | Are accounts uniquely assigned to employees, contractors, and subcontractors [b]? | Level 2 | Yes | ||
| 3.5.6 | Control | Identification and Authentication | Disable identifiers after a defined period of inactivity. | Disable identifiers after a defined period of inactivity. | Level 2 | Yes / -1 | ||
| 3.5.6[a] | Assessment Objective | Identification and Authentication | A period of inactivity after which an identifier is disabled is defined. | Level 2 | Yes | |||
| 3.5.6[b] | Assessment Objective | Identification and Authentication | Identifiers are disabled after the defined period of inactivity. | Are user accounts or identifiers monitored for inactivity [b]? | Level 2 | Yes | ||
| 3.5.7 | Control | Identification and Authentication | Enforce minimum password complexity and changes. | Enforce a minimum password complexity and change of characters when new passwords are created. | Level 2 | Yes / -1 | ||
| 3.5.7[a] | Assessment Objective | Identification and Authentication | Password complexity requirements are defined. | Is a degree of complexity specified for passwords, (e.g., are account passwords a minimum of 12 characters and a mix of upper/lower case, numbers, and special characters), including minimum requirements for each type [a,b,c]? | Level 2 | Yes | ||
| 3.5.7[b] | Assessment Objective | Identification and Authentication | Password change of character requirements are defined. | Is a degree of complexity specified for passwords, (e.g., are account passwords a minimum of 12 characters and a mix of upper/lower case, numbers, and special characters), including minimum requirements for each type [a,b,c]? | Level 2 | Yes | ||
| 3.5.7[c] | Assessment Objective | Identification and Authentication | Minimum password complexity requirements as defined are enforced when new passwords are created. | Is a degree of complexity specified for passwords, (e.g., are account passwords a minimum of 12 characters and a mix of upper/lower case, numbers, and special characters), including minimum requirements for each type [a,b,c]? | Level 2 | Yes | ||
| 3.5.7[d] | Assessment Objective | Identification and Authentication | Minimum password change of character requirements as defined are enforced when new passwords are created. | Is a change of characters required when new passwords are created [d]? | Level 2 | Yes | ||
| 3.5.8 | Control | Identification and Authentication | Prohibit password reuse. | Prohibit password reuse for a specified number of generations. | Level 2 | Yes / -1 | ||
| 3.5.8[a] | Assessment Objective | Identification and Authentication | The number of generations during which a password cannot be reused is specified. | How many generations of password changes need to take place before a password can be reused [a]? | Level 2 | Yes | ||
| 3.5.8[b] | Assessment Objective | Identification and Authentication | Reuse of passwords is prohibited during the specified number of generations. | Level 2 | Yes | |||
| 3.5.9 | Control | Identification and Authentication | Allow temporary passwords. | Allow temporary password use for system logons with an immediate change to a permanent password | Level 2 | Yes / -1 | ||
| 3.5.9[a] | Assessment Objective | Identification and Authentication | An immediate change to a permanent password is required when a temporary password is used for system logon. | Are temporary passwords only valid to allow a user to perform a password reset [a]? | Level 2 | Yes | ||
| 3.5.10 | Control | Identification and Authentication | Store and transmit only cryptographically-protected passwords. | Store and transmit only cryptographically-protected passwords. | Level 2 | No / -5 | Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords | |
| 3.5.10[a] | Assessment Objective | Identification and Authentication | Passwords are cryptographically protected in storage. | Are passwords prevented from being stored in reversible encryption form in any company systems [a]? | Level 2 | No | ||
| 3.5.10[b] | Assessment Objective | Identification and Authentication | Passwords are cryptographically protected in transit. | Level 2 | No | |||
| 3.5.11 | Control | Identification and Authentication | Obscure feedback of authentication information. | Obscure feedback of authentication information. | Level 2 | Yes / -1 | ||
| 3.5.11[a] | Assessment Objective | Identification and Authentication | Authentication information is obscured during the authentication process. | Is the feedback immediately obscured when the authentication is presented on a larger display (e.g., desktop or notebook computers with relatively large monitors) [a]? | Level 2 | Yes | ||
| 3.6.1 | Control | Incident Response | Establish an operational incident-handling capability. | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Level 2 | No / -5 | ||
| 3.6.1[a] | Assessment Objective | Incident Response | An operational incident-handling capability is established. | Is there an incident response policy which specifically outlines requirements for handling of incidents involving CUI [a]? | Level 2 | No | ||
| 3.6.1[b] | Assessment Objective | Incident Response | The operational incident-handling capability includes preparation. | Level 2 | No | |||
| 3.6.1[c] | Assessment Objective | Incident Response | The operational incident-handling capability includes detection. | Level 2 | No | |||
| 3.6.1[d] | Assessment Objective | Incident Response | The operational incident-handling capability includes analysis. | Level 2 | No | |||
| 3.6.1[e] | Assessment Objective | Incident Response | The operational incident-handling capability includes containment. | Level 2 | No | |||
| 3.6.1[f] | Assessment Objective | Incident Response | The operational incident-handling capability includes recovery. | Level 2 | No | |||
| 3.6.1[g] | Assessment Objective | Incident Response | The operational incident-handling capability includes user response activities. | Level 2 | No | |||
| 3.6.2 | Control | Incident Response | Track, document, and report incidents. | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | Level 2 | No / -5 | ||
| 3.6.2[a] | Assessment Objective | Incident Response | Incidents are tracked. | Is there an incident response policy that directs the establishment of requirements for tracking and reporting of incidents involving CUI to appropriate officials [a,d]? | Level 2 | No | ||
| 3.6.2[b] | Assessment Objective | Incident Response | Incidents are documented. | Level 2 | No | |||
| 3.6.2[c] | Assessment Objective | Incident Response | Authorities to whom incidents are to be reported are identified. | Level 2 | No | |||
| 3.6.2[d] | Assessment Objective | Incident Response | Organizational officials to whom incidents are to be reported are identified. | Is there an incident response policy that directs the establishment of requirements for tracking and reporting of incidents involving CUI to appropriate officials [a,d]? | Level 2 | No | ||
| 3.6.2[e] | Assessment Objective | Incident Response | Identified authorities are notified of incidents. | Is cybersecurity incident information promptly reported to management [e,f]? | Level 2 | No | ||
| 3.6.2[f] | Assessment Objective | Incident Response | Identified organizational officials are notified of incidents. | Is cybersecurity incident information promptly reported to management [e,f]? | Level 2 | No | ||
| 3.6.3 | Control | Incident Response | Test the organizational incident response capability. | Test the organizational incident response capability. | Level 2 | Yes / -1 | ||
| 3.6.3[a] | Assessment Objective | Incident Response | The incident response capability is tested. | Does the incident response policy outline requirements for regular incident response plan testing and reviews of incident response capabilities [a]? | Level 2 | Yes | ||
| 3.7.1 | Control | Maintenance | Perform maintenance on organizational systems. | Perform maintenance on organizational systems. | Level 2 | No / -3 | ||
| 3.7.1[a] | Assessment Objective | Maintenance | System maintenance is performed. | Are systems, devices, and supporting systems maintained per manufacturer recommendations or company defined schedules [a]? | Level 2 | No | ||
| 3.7.2 | Control | Maintenance | Limit TTPs when conducting system maintenance. | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. | Level 2 | No / -5 | ||
| 3.7.2[a] | Assessment Objective | Maintenance | Tools used to conduct system maintenance are controlled. | Are physical or logical access controls used to limit access to maintenance tools to authorized personnel [a]? | Level 2 | No | ||
| 3.7.2[b] | Assessment Objective | Maintenance | Techniques used to conduct system maintenance are controlled. | Are physical or logical access controls used to limit access to system documentation and organizational maintenance process documentation to authorized personnel [b]? | Level 2 | No | ||
| 3.7.2[c] | Assessment Objective | Maintenance | Mechanisms used to conduct system maintenance are controlled. | Are physical or logical access controls used to limit access to automated mechanisms (e.g., automated scripts, scheduled jobs) to authorized personnel [c]? | Level 2 | No | ||
| 3.7.2[d] | Assessment Objective | Maintenance | Personnel used to conduct system maintenance are controlled. | Are physical or logical access controls used to limit access to the system entry points that enable maintenance (e.g., administrative portals, local and remote console access, and physical equipment panels) to authorized personnel [d]? | Level 2 | No | ||
| 3.7.3 | Control | Maintenance | Equipment sent for off-site is sanitized of CUI. | Ensure equipment removed for off-site maintenance is sanitized of any CUI. | Level 2 | Yes / -1 | ||
| 3.7.3[a] | Assessment Objective | Maintenance | Equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI. | Is there a process for sanitizing (e.g., erasing, wiping, degaussing) equipment that was used to store, process, or transmit CUI before it is removed from the facility for off-site maintenance (e.g., manufacturer or contracted maintenance support) [a]? | Level 2 | Yes | ||
| 3.7.4 | Control | Maintenance | Check assets for malicious code before use. | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems | Level 2 | No / -3 | ||
| 3.7.4[a] | Assessment Objective | Maintenance | Media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI. | Are media containing diagnostic and test programs (e.g., downloaded or copied utilities or tools from manufacturer, third-party, or in-house support teams) checked for malicious code (e.g., using antivirus or antimalware scans) before the media are used on organizational systems [a]? | Level 2 | No | ||
| 3.7.5 | Control | Maintenance | Require multifactor authentication for maintenance sessions. | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. | Level 2 | No / -5 | ||
| 3.7.5[a] | Assessment Objective | Maintenance | Multifactor authentication is required to establish nonlocal maintenance sessions via external network connections. | Is multifactor authentication required prior to maintenance of a system when connecting remotely from outside the system boundary [a]? | Level 2 | No | ||
| 3.7.5[b] | Assessment Objective | Maintenance | Nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete. | Are personnel required to manually terminate remote maintenance sessions established via external network connections when maintenance is complete, or are connections terminated automatically through system session management mechanisms [b]? | Level 2 | No | ||
| 3.7.6 | Control | Maintenance | Supervise maintenance activities. | Supervise the maintenance activities of maintenance personnel without required access authorization. | Level 2 | Yes / -1 | ||
| 3.7.6[a] | Assessment Objective | Maintenance | Maintenance personnel without required access authorization are supervised during maintenance activities. | Are there processes for escorting and supervising maintenance personnel without required access authorization (e.g., vendor support personnel, short-term maintenance contractors) during system maintenance [a]? | Level 2 | Yes | ||
| 3.8.1 | Control | Media Protection | Protect assets containing CUI. | Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. | Level 2 | No / -3 | Exposure limited to CUI on media | |
| 3.8.1[a] | Assessment Objective | Media Protection | Paper media containing CUI is physically controlled. | Is hardcopy media containing CUI handled only by authorized personnel according to defined procedures [a]? | Level 2 | No | ||
| 3.8.1[b] | Assessment Objective | Media Protection | Digital media containing CUI is physically controlled. | Is digital media containing CUI handled only by authorized personnel according to defined procedures [b]? | Level 2 | No | ||
| 3.8.1[c] | Assessment Objective | Media Protection | Paper media containing CUI is securely stored. | Is paper media containing CUI physically secured (e.g., in a locked drawer or cabinet) [c]? | Level 2 | No | ||
| 3.8.1[d] | Assessment Objective | Media Protection | Digital media containing CUI is securely stored. | Is digital media containing CUI securely stored (e.g., in access-controlled repositories) [d]? | Level 2 | No | ||
| 3.8.2 | Control | Media Protection | Limit access to CUI to authorized users. | Limit access to CUI on system media to authorized users. | Level 2 | No / -3 | Exposure limited to CUI on media | |
| 3.8.2[a] | Assessment Objective | Media Protection | Access to CUI on system media is limited to authorized users. | Is a list of users who are authorized to access the CUI contained on system media maintained [a]? | Level 2 | No | ||
| 3.8.3 | Control | Media Protection | Sanitize media containing CUI before disposal. | Sanitize or destroy system media containing CUI before disposal or release for reuse. | Level 1 | No / -5 | While exposure limited to CUI on media, failure to sanitize can result in continual exposure of CUI | |
| 3.8.3[a] | Assessment Objective | Media Protection | System media containing CUI is sanitized or destroyed before disposal. | Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure that no usable data is retrievable [a,b]? | Level 1 | No | ||
| 3.8.3[b] | Assessment Objective | Media Protection | System media containing CUI is sanitized before it is released for reuse. | Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure that no usable data is retrievable [a,b]? | Level 1 | No | ||
| 3.8.4 | Control | Media Protection | Mark media with CUI markings and distribution limitations. | Mark media with necessary CUI markings and distribution limitations. | Level 2 | Yes / -1 | ||
| 3.8.4[a] | Assessment Objective | Media Protection | Media containing CUI is marked with applicable CUI markings. | Are all media containing CUI identified [a,b]? | Level 2 | Yes | ||
| 3.8.4[b] | Assessment Objective | Media Protection | Media containing CUI is marked with distribution limitations. | Are all media containing CUI identified [a,b]? | Level 2 | Yes | ||
| 3.8.5 | Control | Media Protection | Control access to media containing CUI. | Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. | Level 2 | Yes / -1 | ||
| 3.8.5[a] | Assessment Objective | Media Protection | Access to media containing CUI is controlled. | Do only approved individuals have access to media containing CUI [a]? | Level 2 | Yes | ||
| 3.8.5[b] | Assessment Objective | Media Protection | Accountability for media containing CUI is maintained during transport outside of controlled areas. | Is access to the media containing CUI recorded in an audit log [b]? | Level 2 | Yes | ||
| 3.8.6 | Control | Media Protection | Implement cryptographic mechanisms protecting CUI at rest. | Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. | Level 2 | Yes / -1 | ||
| 3.8.6[a] | Assessment Objective | Media Protection | The confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards. | Are all CUI data on media encrypted or physically protected prior to transport outside of controlled areas [a]? | Level 2 | Yes | ||
| 3.8.7 | Control | Media Protection | Control the use of removable media. | Control the use of removable media on system components. | Level 2 | No / -5 | ||
| 3.8.7[a] | Assessment Objective | Media Protection | The use of removable media on system components containing CUI is controlled. | Are removable media allowed [a]? | Level 2 | No | ||
| 3.8.8 | Control | Media Protection | Prohibit the use of portable storage devices. | Prohibit the use of portable storage devices when such devices have no identifiable owner. | Level 2 | No / -3 | ||
| 3.8.8[a] | Assessment Objective | Media Protection | The use of portable storage devices is prohibited when such devices have no identifiable owner. | Do portable storage devices used have identifiable owners [a]? | Level 2 | No | ||
| 3.8.9 | Control | Media Protection | Protect CUI backups. | Protect the confidentiality of backup CUI at storage locations. | Level 2 | Yes / -1 | ||
| 3.8.9[a] | Assessment Objective | Media Protection | The confidentiality of backup CUI is protected at storage locations. | Are data backups encrypted on media before removal from a secured facility [a]? | Level 2 | Yes | ||
| 3.9.1 | Control | Personnel Security | Screen individuals prior to accessing CUI. . | Screen individuals prior to authorizing access to organizational systems containing CUI. | Level 2 | No / -3 | ||
| 3.9.1[a] | Assessment Objective | Personnel Security | Individuals are screened prior to authorizing access to organizational systems. | Are appropriate background checks completed prior granting access to organizational systems containing CUI [a]? | Level 2 | No | ||
| 3.9.2 | Control | Personnel Security | CUI is protected during personnel terminations and transfers. . | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | Level 2 | No / -5 | ||
| 3.9.2[a] | Assessment Objective | Personnel Security | A policy and/or process for terminating system access authorization and any credentials coincident with personnel actions is established. | Is all company information system-related property retrieved from the terminated or transferred employee within a certain timeframe [a,c]? | Level 2 | No | ||
| 3.9.2[b] | Assessment Objective | Personnel Security | System access and credentials are terminated consistent with personnel actions such as termination or transfer. | Are authenticators/ credentials associated with the employee revoked upon termination or transfer within a certain time frame [b,c]? | Level 2 | No | ||
| 3.9.2[c] | Assessment Objective | Personnel Security | The system is protected during and after personnel transfer actions. | Is all company information system-related property retrieved from the terminated or transferred employee within a certain timeframe [a,c]? Are authenticators/ credentials associated with the employee revoked upon termination or transfer within a certain time frame [b,c]? Is information system access disabled upon employee termination or transfer [c]? | Level 2 | No | ||
| 3.10.1 | Control | Physical Protection | Limit physical access to organizational assets. | Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. | Level 1 | No / -5 | ||
| 3.10.1[a] | Assessment Objective | Physical Protection | Authorized individuals allowed physical access are identified. | Are lists of personnel with authorized access developed and maintained, and are appropriate authorization credentials issued [a]? | Level 1 | No | ||
| 3.10.1[b] | Assessment Objective | Physical Protection | Physical access to organizational systems is limited to authorized individuals. | Has the facility/building manager designated building areas as “sensitive” and designed physical security protections (e.g., guards, locks, cameras, card readers) to limit physical access to the area to only authorized employees [b,c,d]? | Level 1 | No | ||
| 3.10.1[c] | Assessment Objective | Physical Protection | Physical access to equipment is limited to authorized individuals. | Has the facility/building manager designated building areas as “sensitive” and designed physical security protections (e.g., guards, locks, cameras, card readers) to limit physical access to the area to only authorized employees [b,c,d]? | Level 1 | No | ||
| 3.10.1[d] | Assessment Objective | Physical Protection | Physical access to operating environments is limited to authorized individuals. | Has the facility/building manager designated building areas as “sensitive” and designed physical security protections (e.g., guards, locks, cameras, card readers) to limit physical access to the area to only authorized employees [b,c,d]? | Level 1 | No | ||
| 3.10.2 | Control | Physical Protection | Protect and monitor the physical facility. | Protect and monitor the physical facility and support infrastructure for organizational systems. | Level 2 | No / -5 | ||
| 3.10.2[a] | Assessment Objective | Physical Protection | The physical facility where that system resides is protected. | Level 2 | No | |||
| 3.10.2[b] | Assessment Objective | Physical Protection | The support infrastructure for that system is protected. | Level 2 | No | |||
| 3.10.2[c] | Assessment Objective | Physical Protection | The physical facility where that system resides is monitored. | Is physical access monitored to detect and respond to physical security incidents [c, d]? | Level 2 | No | ||
| 3.10.2[d] | Assessment Objective | Physical Protection | The support infrastructure for that system is monitored. | Is physical access monitored to detect and respond to physical security incidents [c, d]? | Level 2 | No | ||
| 3.10.3 | Control | Physical Protection | Escort visitors and monitor visitor activity. . | Escort visitors and monitor visitor activity. | Level 1 | Yes / -1 | ||
| 3.10.3[a] | Assessment Objective | Physical Protection | Visitors are escorted. | Are personnel required to accompany visitors to areas in a facility with physical access to organizational systems [a]? | Level 1 | Yes | ||
| 3.10.3[b] | Assessment Objective | Physical Protection | Visitor activity is monitored. | Are visitors clearly distinguishable from regular personnel [b]? | Level 1 | Yes | ||
| 3.10.4 | Control | Physical Protection | Maintain audit logs of physical access. . | Maintain audit logs of physical access. | Level 1 | Yes / -1 | ||
| 3.10.4[a] | Assessment Objective | Physical Protection | Audit logs of physical access are maintained. | Are logs of physical access to sensitive areas (both authorized access and visitor access) maintained per retention requirements [a]? | Level 1 | Yes | ||
| 3.10.5 | Control | Physical Protection | Control and manage physical access devices. . | Control and manage physical access devices. | Level 1 | Yes / -1 | ||
| 3.10.5[a] | Assessment Objective | Physical Protection | Physical access devices are identified. | Are lists or inventories of physical access devices maintained (e.g., keys, facility badges, key cards) [a]? | Level 1 | Yes | ||
| 3.10.5[b] | Assessment Objective | Physical Protection | Physical access devices are controlled. | Is access to physical access devices limited (e.g., granted to, and accessible only by, authorized individuals) [b]? | Level 1 | Yes | ||
| 3.10.5[c] | Assessment Objective | Physical Protection | Physical access devices are managed. | Are physical access devices managed (e.g., revoking key card access when necessary, changing locks as needed, maintaining access control devices and systems) [c]? | Level 1 | Yes | ||
| 3.10.6 | Control | Physical Protection | Enforce safeguarding of CUI at alternate sites. . | Enforce safeguarding measures for CUI at alternate work sites. | Level 2 | Yes / -1 | ||
| 3.10.6[a] | Assessment Objective | Physical Protection | Safeguarding measures for CUI are defined for alternate work sites. | Level 2 | Yes | |||
| 3.10.6[b] | Assessment Objective | Physical Protection | Safeguarding measures for CUI are enforced for alternate work sites. | Do all alternate sites where CUI data is stored or processed meet the same physical security requirements as the main site [b]? | Level 2 | Yes | ||
| 3.11.1 | Control | Risk Assessment | Conduct periodic risk assessments. | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Level 2 | No / -3 | ||
| 3.11.1[a] | Assessment Objective | Risk Assessment | The frequency to assess risk to organizational operations, organizational assets, and individuals is defined. | Level 2 | No | |||
| 3.11.1[b] | Assessment Objective | Risk Assessment | Risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency. | Have initial and periodic risk assessments been conducted [b]? | Level 2 | No | ||
| 3.11.2 | Control | Risk Assessment | Conduct vulnerability scans. | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Level 2 | No / -5 | ||
| 3.11.2[a] | Assessment Objective | Risk Assessment | The frequency to scan for vulnerabilities in an organizational system and its applications that process, store, or transmit CUI is defined. | Is the frequency specified for vulnerability scans to be performed in organizational systems and applications (e.g., continuous passive scanning, scheduled active scans) [a]? Are vulnerability scans performed on a defined frequency or randomly in accordance with company policy [a,b,c]? | Level 2 | No | ||
| 3.11.2[b] | Assessment Objective | Risk Assessment | Vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI with the defined frequency. | Are vulnerability scans performed on a defined frequency or randomly in accordance with company policy [a,b,c]? | Level 2 | No | ||
| 3.11.2[c] | Assessment Objective | Risk Assessment | Vulnerability scans are performed in an application that contains CUI with the defined frequency. | Are vulnerability scans performed on a defined frequency or randomly in accordance with company policy [a,b,c]? | Level 2 | No | ||
| 3.11.2[d] | Assessment Objective | Risk Assessment | Vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI when new vulnerabilities are identified. | Are systems periodically scanned for common and new vulnerabilities [d,e]? | Level 2 | No | ||
| 3.11.2[e] | Assessment Objective | Risk Assessment | Vulnerability scans are performed in an application that contains CUI when new vulnerabilities are identified. | Are systems periodically scanned for common and new vulnerabilities [d,e]? | Level 2 | No | ||
| 3.11.3 | Control | Risk Assessment | Remediate vulnerabilities IAW risk assessments. . | Remediate vulnerabilities in accordance with risk assessments. | Level 2 | Yes / -1 | ||
| 3.11.3[a] | Assessment Objective | Risk Assessment | Vulnerabilities are identified. | Level 2 | Yes | |||
| 3.11.3[b] | Assessment Objective | Risk Assessment | Vulnerabilities are remediated in accordance with risk assessments. | Are the results of risk assessments used to prioritize vulnerabilities for remediation [b]? | Level 2 | Yes | ||
| 3.12.1 | Control | Security Assessment | Periodically assess security controls. | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Level 2 | No / -5 | ||
| 3.12.1[a] | Assessment Objective | Security Assessment | The frequency of security control assessments is defined. | Are security controls assessed at least annually [a]? | Level 2 | No | ||
| 3.12.1[b] | Assessment Objective | Security Assessment | Security controls are assessed with the defined frequency to determine if the controls are effective in their application. | Is the output of the security controls assessment documented [b]? | Level 2 | No | ||
| 3.12.2 | Control | Security Assessment | Develop and implement POA&Ms. | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems | Level 2 | No / -3 | ||
| 3.12.2[a] | Assessment Objective | Security Assessment | Deficiencies and vulnerabilities to be addressed by the plan of action are identified. | Is there an action plan to remediate identified weaknesses or deficiencies [a]? | Level 2 | No | ||
| 3.12.2[b] | Assessment Objective | Security Assessment | A plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities. | Is the action plan maintained as remediation is performed [b]? | Level 2 | No | ||
| 3.12.2[c] | Assessment Objective | Security Assessment | The plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities. | Does the action plan designate remediation dates and milestones for each item [c]? | Level 2 | No | ||
| 3.12.3 | Control | Security Assessment | Periodically monitor security controls ensuring continued effectiveness. | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Level 2 | No / -5 | ||
| 3.12.3[a] | Assessment Objective | Security Assessment | Security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. | Are the security controls that need to be continuously monitored identified [a]? | Level 2 | No | ||
| 3.12.4 | Control | Security Assessment | Maintain updated system security plans. | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Level 2 | No / Fail | The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.’ | |
| 3.12.4[a] | Assessment Objective | Security Assessment | A system security plan is developed. | Do mechanisms exist to develop and periodically update an SSP [a,g]? | Level 2 | No | ||
| 3.12.4[b] | Assessment Objective | Security Assessment | The system boundary is described and documented in the System security plan. | Level 2 | No | |||
| 3.12.4[c] | Assessment Objective | Security Assessment | The system environment of operation is described and documented in the System security plan. | Level 2 | No | |||
| 3.12.4[d] | Assessment Objective | Security Assessment | The security requirements identified and approved by the designated authority as non-applicable are identified. | Are security requirements identified and approved by the designated authority as non applicable documented [d]? | Level 2 | No | ||
| 3.12.4[e] | Assessment Objective | Security Assessment | The method of security requirement implementation is described and documented in the System security plan. | Level 2 | No | |||
| 3.12.4[f] | Assessment Objective | Security Assessment | The relationship with or connection to other systems is described and documented in the System security plan. | Level 2 | No | |||
| 3.12.4[g] | Assessment Objective | Security Assessment | The frequency to update the System security plan is defined. | Do mechanisms exist to develop and periodically update an SSP [a,g]? | Level 2 | No | ||
| 3.12.4[h] | Assessment Objective | Security Assessment | System security plan is updated with the defined frequency. | Level 2 | No | |||
| 3.13.1 | Control | System and Communications Protection | Monitor, control, and protect communications at boundary points. | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Level 1 | No / -5 | ||
| 3.13.1[a] | Assessment Objective | System and Communications Protection | The external system boundary is defined. | What are the external system boundary components that make up the entry and exit points for data flow (e.g., firewalls, gateways, cloud service boundaries), behind which all system components that handle regulated data are contained? What are the supporting system components necessary for the protection of regulated data [a]? | Level 1 | No | ||
| 3.13.1[b] | Assessment Objective | System and Communications Protection | Key internal system boundaries are defined. | What are the internal system boundary components that make up the entry and exit points for key internal data flow (e.g., internal firewalls, routers, any devices that can bridge the connection between one segment of the system and another) that separate segments of the internal network – including devices that separate internal network segments such as development and production networks as well as a traditional Demilitarized Zone (DMZ) at the edge of the network [b]? | Level 1 | No | ||
| 3.13.1[c] | Assessment Objective | System and Communications Protection | Communications are monitored at the external system boundary. | Is data flowing in and out of the external and key internal system boundaries monitored (e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts) [c,d]? | Level 1 | No | ||
| 3.13.1[d] | Assessment Objective | System and Communications Protection | Communications are monitored at key internal boundaries. | Is data flowing in and out of the external and key internal system boundaries monitored (e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts) [c,d]? | Level 1 | No | ||
| 3.13.1[e] | Assessment Objective | System and Communications Protection | Communications are controlled at the external system boundary. | Is data traversing the external and internal system boundaries controlled such that connections are denied by default and only authorized connections are allowed [e,f]? | Level 1 | No | ||
| 3.13.1[f] | Assessment Objective | System and Communications Protection | Communications are controlled at key internal boundaries. | Is data traversing the external and internal system boundaries controlled such that connections are denied by default and only authorized connections are allowed [e,f]? | Level 1 | No | ||
| 3.13.1[g] | Assessment Objective | System and Communications Protection | Communications are protected at the external system boundary. | Is data flowing in and out of the external and key internal system boundaries protected (e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]? | Level 1 | No | ||
| 3.13.1[h] | Assessment Objective | System and Communications Protection | Communications are protected at key internal boundaries. | Is data flowing in and out of the external and key internal system boundaries protected (e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]? | Level 1 | No | ||
| 3.13.2 | Control | System and Communications Protection | Employ TTPs promoting communications security. | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Level 2 | No / -5 | ||
| 3.13.2[a] | Assessment Objective | System and Communications Protection | Architectural designs that promote effective information security are identified. | Does the organization have a defined system architecture [a,d]? | Level 2 | No | ||
| 3.13.2[b] | Assessment Objective | System and Communications Protection | Software development techniques that promote effective information security are identified. | Level 2 | No | |||
| 3.13.2[c] | Assessment Objective | System and Communications Protection | Systems engineering principles that promote effective information security are identified. | Level 2 | No | |||
| 3.13.2[d] | Assessment Objective | System and Communications Protection | Identified architectural designs that promote effective information security are employed. | Does the organization have a defined system architecture [a,d]? Are system security engineering principles applied in the specification, design, development and implementation of the systems [d,e,f]? | Level 2 | No | ||
| 3.13.2[e] | Assessment Objective | System and Communications Protection | Identified software development techniques that promote effective information security are employed. | Are system security engineering principles applied in the specification, design, development and implementation of the systems [d,e,f]? | Level 2 | No | ||
| 3.13.2[f] | Assessment Objective | System and Communications Protection | Identified systems engineering principles that promote effective information security are employed. | Are system security engineering principles applied in the specification, design, development and implementation of the systems [d,e,f]? | Level 2 | No | ||
| 3.13.3 | Control | System and Communications Protection | No Super-User accounts. | Separate user functionality from system management functionality. | Level 2 | Yes / -1 | ||
| 3.13.3[a] | Assessment Objective | System and Communications Protection | User functionality is identified. | Level 2 | Yes | |||
| 3.13.3[b] | Assessment Objective | System and Communications Protection | System management functionality is identified. | Level 2 | Yes | |||
| 3.13.3[c] | Assessment Objective | System and Communications Protection | User functionality is separated from system management functionality. | Are physical or logical controls used to separate user functionality from system management-related functionality (e.g., to ensure that administration (e.g., privilege) options are not available to general users) [c]? | Level 2 | Yes | ||
| 3.13.4 | Control | System and Communications Protection | Prevent unauthorized / unintended information transfer. | Prevent unauthorized and unintended information transfer via shared system resources. | Level 2 | Yes / -1 | ||
| 3.13.4[a] | Assessment Objective | System and Communications Protection | Unauthorized and unintended information transfer via shared system resources is prevented. | Are shared system resources identified and documented [a]? | Level 2 | Yes | ||
| 3.13.5 | Control | System and Communications Protection | Subnetworks for publicly accessible system components. | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Level 1 | No / -5 | ||
| 3.13.5[a] | Assessment Objective | System and Communications Protection | Publicly accessible system components are identified. | Are any system components reachable by the public (e.g., internet-facing web servers, VPN gateways, publicly accessible cloud services) [a]? | Level 1 | No | ||
| 3.13.5[b] | Assessment Objective | System and Communications Protection | Subnetworks for publicly accessible system components are physically or logically separated from internal networks. | Are publicly accessible system components on physically or logically separated subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such as DMZs) [b]? | Level 1 | No | ||
| 3.13.6 | Control | System and Communications Protection | Deny communications by default. | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Level 2 | No / -5 | ||
| 3.13.6[a] | Assessment Objective | System and Communications Protection | Network communications traffic is denied by default. | Are network communications traffic on relevant system components (e.g., host and network firewalls, routers, gateways) denied by default (e.g., configured with an implicit deny rule that takes effect in the absence of any other matching traffic rules) [a]? | Level 2 | No | ||
| 3.13.6[b] | Assessment Objective | System and Communications Protection | Network communications traffic is allowed by exception. | Are network communications traffic on relevant system components (e.g., host and network firewalls, routers, gateways) allowed by exception (e.g., configured with explicit allow rules that takes effect only when network traffic matches one or more rules) [b]? | Level 2 | No | ||
| 3.13.7 | Control | System and Communications Protection | Block split tunneling. | Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). | Level 2 | Yes / -1 | ||
| 3.13.7[a] | Assessment Objective | System and Communications Protection | Remote devices are prevented from simultaneously establishing non-remote connections with the System and communicating via some other connection to resources in external networks (i.e., split tunneling). | Does the system prevent remote devices that have established connections (e.g., remote laptops) with the system from communicating outside that communications path with resources on uncontrolled/unauthorized networks [a]? | Level 2 | Yes | ||
| 3.13.8 | Control | System and Communications Protection | Implement cryptographic mechanisms in transit. | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Level 2 | No / -3 | ||
| 3.13.8[a] | Assessment Objective | System and Communications Protection | Cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified. | Level 2 | No | |||
| 3.13.8[b] | Assessment Objective | System and Communications Protection | Alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified. | Level 2 | No | |||
| 3.13.8[c] | Assessment Objective | System and Communications Protection | Either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission. | Are cryptographic mechanisms used to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures (e.g., PDS) [c]? | Level 2 | No | ||
| 3.13.9 | Control | System and Communications Protection | Terminate connections associated after defined period of inactivity. | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. | Level 2 | Yes / -1 | ||
| 3.13.9[a] | Assessment Objective | System and Communications Protection | A period of inactivity to terminate network connections associated with communications sessions is defined. | Are the network connections requiring management and time-out for inactivity documented [a]? | Level 2 | Yes | ||
| 3.13.9[b] | Assessment Objective | System and Communications Protection | Network connections associated with communications sessions are terminated at the end of the sessions. | Level 2 | Yes | |||
| 3.13.9[c] | Assessment Objective | System and Communications Protection | Network connections associated with communications sessions are terminated after the defined period of inactivity. | Are the network connections requiring management and time-out for inactivity configured and implemented [c]? | Level 2 | Yes | ||
| 3.13.10 | Control | System and Communications Protection | Establish and manage cryptographic keys. | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Level 2 | Yes / -1 | ||
| 3.13.10[a] | Assessment Objective | System and Communications Protection | Cryptographic keys are established whenever cryptography is employed. | Are cryptographic keys established whenever cryptography is employed (e.g., digital signatures, authentication, authorization, transport, or other cryptographic mechanisms) [a]? | Level 2 | Yes | ||
| 3.13.10[b] | Assessment Objective | System and Communications Protection | Cryptographic keys are managed whenever cryptography is employed. | Are cryptographic keys established whenever cryptography is employed (e.g., digital signatures, authentication, authorization, transport, or other cryptographic mechanisms) [a]? | Level 2 | Yes | ||
| 3.13.11 | Control | System and Communications Protection | Employ FIPS-validated cryptography. | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | Level 2 | No / -5 or -3 | Subtract 5 points if no cryptography is employed; 3 points if mostly not FIPS validated | |
| 3.13.11[a] | Assessment Objective | System and Communications Protection | Fips-validated cryptography is employed to protect the confidentiality of CUI. | Is cryptography implemented to protect the confidentiality of CUI at rest and in transit, through the configuration of systems and applications or through the use of encryption tools [a]? | Level 2 | No | ||
| 3.13.12 | Control | System and Communications Protection | Prohibit remote activation of devices. | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. | Level 2 | Yes / -1 | ||
| 3.13.12[a] | Assessment Objective | System and Communications Protection | Collaborative computing devices are identified. | Level 2 | Yes | |||
| 3.13.12[b] | Assessment Objective | System and Communications Protection | Collaborative computing devices provide indication to users of devices in use. | Are the collaborative computing devices configured to provide indication to users when in use (e.g., a light, text notification, or audio tone) or are users alerted before entering a space (e.g., written notice posted outside the space) where they are in use [b]? | Level 2 | Yes | ||
| 3.13.12[c] | Assessment Objective | System and Communications Protection | Remote activation of collaborative computing devices is prohibited. | Are the collaborative computing devices configured to prevent them from being turned on without user interaction or consent [c]? | Level 2 | Yes | ||
| 3.13.13 | Control | System and Communications Protection | Control and monitor the use of mobile code. | Control and monitor the use of mobile code. | Level 2 | Yes / -1 | ||
| 3.13.13[a] | Assessment Objective | System and Communications Protection | Use of mobile code is controlled. | Are there defined limits of mobile code usage and established usage restrictions, which specifically authorize use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, Flash, Shockwave, Postscript, VBScript) within the information system [a]? | Level 2 | Yes | ||
| 3.13.13[b] | Assessment Objective | System and Communications Protection | Use of mobile code is monitored. | Is the use of mobile code documented, monitored, and managed (e.g., Java, JavaScript, ActiveX, PDF, Flash, Shockwave, Postscript, VBScript) [b]? | Level 2 | Yes | ||
| 3.13.14 | Control | System and Communications Protection | Control and monitor VoIP technologies. | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies | Level 2 | Yes / -1 | ||
| 3.13.14[a] | Assessment Objective | System and Communications Protection | Use of voice over internet protocol (voip) technologies is controlled. | Are VoIP technologies (e.g., approved and managed products or solutions) that may or may not be used in the system defined [a]? | Level 2 | Yes | ||
| 3.13.14[b] | Assessment Objective | System and Communications Protection | Use of voice over internet protocol (voip) technologies is monitored. | Is monitoring for unapproved VoIP technologies or unapproved use of the allowed VoIP solutions employed [b]? | Level 2 | Yes | ||
| 3.13.15 | Control | System and Communications Protection | Protect the authenticity of communications sessions. | Protect the authenticity of communications sessions | Level 2 | No / -5 | ||
| 3.13.15[a] | Assessment Objective | System and Communications Protection | The authenticity of communications sessions is protected. | Is a communications protocol used that ensures the sending and receiving parties do not change during a communications session [a]? | Level 2 | No | ||
| 3.13.16 | Control | System and Communications Protection | Protect the confidentiality of CUI at rest. . | Protect the confidentiality of CUI at rest. | Level 2 | Yes / -1 | ||
| 3.13.16[a] | Assessment Objective | System and Communications Protection | The confidentiality of CUI at rest is protected. | Is the confidentiality of CUI at rest protected using encryption of storage devices and/or appropriate physical methods [a]? | Level 2 | Yes | ||
| 3.14.1 | Control | System and Information Integrity | Identify, report, and correct system flaws in a timely manner. | Identify, report, and correct system flaws in a timely manner. | Level 1 | No / -5 | ||
| 3.14.1[a] | Assessment Objective | System and Information Integrity | The time within which to identify system flaws is specified. | Is the time frame (e.g., a set number of days) within which system flaw identification activities (e.g., vulnerability scans, configuration scans, manual review) must be performed defined and documented [a]? | Level 1 | No | ||
| 3.14.1[b] | Assessment Objective | System and Information Integrity | System flaws are identified within the specified time frame. | Are system flaws (e.g., vulnerabilities, misconfigurations) identified in accordance with the specified time frame [b]? | Level 1 | No | ||
| 3.14.1[c] | Assessment Objective | System and Information Integrity | The time within which to report system flaws is specified. | Level 1 | No | |||
| 3.14.1[d] | Assessment Objective | System and Information Integrity | System flaws are reported within the specified time frame. | Level 1 | No | |||
| 3.14.1[e] | Assessment Objective | System and Information Integrity | The time within which to correct system flaws is specified. | Is the time frame (e.g., a set number of days dependent on the assessed severity of a flaw) within which system flaws must be corrected defined and documented [e]? | Level 1 | No | ||
| 3.14.1[f] | Assessment Objective | System and Information Integrity | System flaws are corrected within the specified time frame. | Are system flaws (e.g., applied security patches, made configuration changes, or implemented workarounds or mitigations) corrected in accordance with the specified time frame [f]? | Level 1 | No | ||
| 3.14.2 | Control | System and Information Integrity | Provide malicious code protection. | Provide protection from malicious code at designated locations within organizational systems. | Level 1 | No / -5 | ||
| 3.14.2[a] | Assessment Objective | System and Information Integrity | Designated locations for malicious code protection are identified. | Are system components (e.g., workstations, servers, email gateways, mobile devices) for which malicious code protection must be provided identified and documented [a]? | Level 1 | No | ||
| 3.14.2[b] | Assessment Objective | System and Information Integrity | Protection from malicious code at designated locations is provided. | Level 1 | No | |||
| 3.14.3 | Control | System and Information Integrity | Monitor and respond to security alerts. | Monitor system security alerts and advisories and take action in response. | Level 2 | No / -5 | ||
| 3.14.3[a] | Assessment Objective | System and Information Integrity | Response actions to system security alerts and advisories are identified. | Are the responses to system security alerts and advisories identified in relation to the assessed severity of potential flaws (e.g., communicating with responsible personnel, initiating vulnerability scans, initiating system flaw remediation activities) [a]? Are system security alerts and advisories addressed (e.g., assessing potential severity or likelihood, communicating with responsible personnel, initiating vulnerability scans, initiating system flaw remediation activities) [a,c]? | Level 2 | No | ||
| 3.14.3[b] | Assessment Objective | System and Information Integrity | System security alerts and advisories are monitored. | Level 2 | No | |||
| 3.14.3[c] | Assessment Objective | System and Information Integrity | Actions in response to system security alerts and advisories are taken. | Are system security alerts and advisories addressed (e.g., assessing potential severity or likelihood, communicating with responsible personnel, initiating vulnerability scans, initiating system flaw remediation activities) [a,c]? | Level 2 | No | ||
| 3.14.4 | Control | System and Information Integrity | Update virus SW signatures. | Update malicious code protection mechanisms when new releases are available. | Level 1 | No / -5 | ||
| 3.14.4[a] | Assessment Objective | System and Information Integrity | Malicious code protection mechanisms are updated when new releases are available. | Is there a defined frequency by which malicious code protection mechanisms must be updated (e.g., frequency of automatic updates or manual processes) [a]? | Level 1 | No | ||
| 3.14.5 | Control | System and Information Integrity | Perform periodic scans. | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Level 1 | No / -3 | ||
| 3.14.5[a] | Assessment Objective | System and Information Integrity | The frequency for malicious code scans is defined. | Level 1 | No | |||
| 3.14.5[b] | Assessment Objective | System and Information Integrity | Malicious code scans are performed with the defined frequency. | Level 1 | No | |||
| 3.14.5[c] | Assessment Objective | System and Information Integrity | Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. | Are files from media (e.g., USB drives, CD-ROM) included in the definition of external sources and are they being scanned [c]? | Level 1 | No | ||
| 3.14.6 | Control | System and Information Integrity | Monitor organizational systems and communications. | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks | Level 2 | No / -5 | ||
| 3.14.6[a] | Assessment Objective | System and Information Integrity | The system is monitored to detect attacks and indicators of potential attacks. | Are details provided for the methodology of determining attacks and indicators of attack [a]? | Level 2 | No | ||
| 3.14.6[b] | Assessment Objective | System and Information Integrity | Inbound communications traffic is monitored to detect attacks and indicators of potential attacks. | Are communications traffic flows understood and is there a deployed capability to review that traffic [b,c]? | Level 2 | No | ||
| 3.14.6[c] | Assessment Objective | System and Information Integrity | Outbound communications traffic is monitored to detect attacks and indicators of potential attacks. | Are communications traffic flows understood and is there a deployed capability to review that traffic [b,c]? | Level 2 | No | ||
| 3.14.7 | Control | System and Information Integrity | Identify unauthorized use of organizational systems. . | Identify unauthorized use of organizational systems. | Level 2 | No / -3 | ||
| 3.14.7[a] | Assessment Objective | System and Information Integrity | Authorized use of the System is defined. | Is authorized use of systems defined (e.g., data types permitted for storage or processing, personnel authorized to access, times or days of permitted use, permitted software) [a]? | Level 2 | No | ||
| 3.14.7[b] | Assessment Objective | System and Information Integrity | Unauthorized use of the System is identified. | Is unauthorized use of systems defined (e.g., not authorized to use systems for bitcoin mining, not authorized for pornographic content, not authorized to access gambling games/content) [b]? | Level 2 | No |
800-171 Controls (Simplified)
By
Alison Thompson
This blog serves as a focused reference guide to NIST SP 800-171 and 800-171A by presenting each control alongside its corresponding assessment objectives and considerations. The content is structured in a clear, tabular format that maps controls to their verification criteria, enabling readers to understand not just what is required, but how compliance is evaluated. Each entry also identifies whether the control aligns to CMMC Level 1 or Level 2 and includes the associated SPRS point deduction if the control is not met. The result is a practical, audit-aligned resource designed to support organizations in preparing for assessments and understanding the measurable impact of compliance gaps.
