The System and Information Integrity (SI.A) control safeguards information systems and data by preventing unauthorized access, detecting anomalies, and responding to threats. It enforces regular vulnerability assessments, implements unauthorized activity monitoring, and ensures incident response readiness. Measures include integrity verification, malware protection, access controls, and secure configuration management. Data integrity, audit logging, and boundary protection contribute to a robust cybersecurity posture. Upholding SI enhances system trustworthiness, minimizing risks to data confidentiality, availability, and integrity, thus bolstering an organization's ability to withstand and counteract cybersecurity challenges.

• Flaw Remediation (SI.L1-3.14.1)

  The Flaw Remediation (SI.L1-3.14.1) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on addressing and remediating software and hardware flaws to ensure the integrity and security of information systems.

• Flaw Remediation (SI.L1-3.14.1[a])

  The Flaw Remediation (SI.L1-3.14.1[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 is a specific aspect focusing on addressing and remediating vulnerabilities or flaws in software and hardware components. This subcontrol emphasizes a targeted and risk-based approach to flaw remediation.

• Flaw Remediation (SI.L1-3.14.1[b])

  The Flaw Remediation (SI.L1-3.14.1[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 is a specific aspect focusing on enhancing the effectiveness of flaw remediation efforts through the establishment of proactive measures and feedback mechanisms.

• Flaw Remediation (SI.L1-3.14.1[c])

  The Flaw Remediation (SI.L1-3.14.1[c]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 is a specific aspect focusing on documenting and communicating lessons learned from flaw remediation efforts. It emphasizes the importance of institutionalizing knowledge to improve future responses to vulnerabilities.

• Flaw Remediation (SI.L1-3.14.1[d])

  The Flaw Remediation (SI.L1-3.14.1[d]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on assessing the effectiveness of flaw remediation activities and ensuring that corrective actions lead to sustained improvements in the organization's cybersecurity posture.

• Flaw Remediation (SI.L1-3.14.1[e])

  The Flaw Remediation (SI.L1-3.14.1[e]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on ensuring the documentation and communication of effective remediation practices and lessons learned throughout the organization.

• Flaw Remediation (SI.L1-3.14.1[f])

  The Flaw Remediation (SI.L1-3.14.1[f]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on incorporating automated mechanisms to improve the efficiency and effectiveness of flaw identification, analysis, and remediation.

• Malicious Code Protection (SI.L1-3.14.2)

  The Malicious Code Protection (SI.L1-3.14.2) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing measures to detect, prevent, and respond to malicious code or software within the organization's information systems.

• Malicious Code Protection (SI.L1-3.14.2[a])

  The Malicious Code Protection (SI.L1-3.14.2[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on deploying and maintaining antivirus software to detect and remove known malicious code from the organization's information systems.

• Malicious Code Protection (SI.L1-3.14.2[b])

  The Malicious Code Protection (SI.L1-3.14.2[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on implementing additional protective measures beyond traditional antivirus solutions to detect and prevent more sophisticated forms of malicious code.

• Security Alerts & Advisories (SI.L2-3.14.3)

  The Security Alerts & Advisories (SI.L2-3.14.3) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing processes for the timely receipt, dissemination, and response to security alerts and advisories relevant to the organization's information systems.

• Security Alerts & Advisories (SI.L2-3.14.3[a])

  The Security Alerts & Advisories (SI.L2-3.14.3[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing processes to receive, assess, and respond to security alerts and advisories that are specific to the organization's industry and operational environment.

• Security Alerts & Advisories (SI.L2-3.14.3[b])

  The Security Alerts & Advisories (SI.L2-3.14.3[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on ensuring that organizations have processes in place to assess the potential impact of security alerts and advisories on their specific information systems and take appropriate response actions.

• Security Alerts & Advisories (SI.L2-3.14.3[c])

  The Security Alerts & Advisories (SI.L2-3.14.3[c]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing mechanisms for continuous monitoring and evaluation of the effectiveness of the organization's response to security alerts and advisories.

• Update Malicious Code Protection (SI.L1-3.14.4)

  The Update Malicious Code Protection (SI.L1-3.14.4) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on ensuring that organizations regularly update and maintain their malicious code protection mechanisms to defend against the latest known threats.

• Update Malicious Code Protection (SI.L1-3.14.4[a])

  The Update Malicious Code Protection (SI.L1-3.14.4[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing procedures to promptly update and maintain malicious code protection mechanisms in response to identified vulnerabilities and emerging threats.

• System & File Scanning (SI.L1-3.14.5)

  The System & File Scanning (SI.L1-3.14.5) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing procedures to regularly scan and analyze systems and files for the presence of malicious code, vulnerabilities, and other security risks.

• System & File Scanning (SI.L1-3.14.5[a])

  The System & File Scanning (SI.L1-3.14.5[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 specifically addresses the need for organizations to establish procedures for scanning and analyzing systems and files to identify and mitigate potential security risks. This subcontrol emphasizes the importance of regularly updating scanning tools and technologies to stay resilient against evolving threats.

• System & File Scanning (SI.L1-3.14.5[b])

  The System & File Scanning (SI.L1-3.14.5[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing procedures for the routine scanning and analysis of systems and files with an emphasis on identifying and mitigating potential security risks related to unauthorized changes.

• System & File Scanning (SI.L1-3.14.5[c])

  The System & File Scanning (SI.L1-3.14.5[c]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on implementing procedures for the routine scanning and analysis of systems and files to identify and address potential security risks, with a specific emphasis on vulnerabilities.

• Monitor Communications for Attacks (SI.L2-3.14.6)

  The Monitor Communications for Attacks (SI.L2-3.14.6) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing comprehensive monitoring procedures to detect and respond to potential cyber attacks targeting the communication channels within an organization's network.

• Monitor Communications for Attacks (SI.L2-3.14.6[a])

  The Monitor Communications for Attacks (SI.L2-3.14.6[a]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on the enhancement of monitoring procedures with a specific emphasis on detecting and responding to sophisticated and targeted cyber attacks against an organization's communication channels

• Monitor Communications for Attacks (SI.L2-3.14.6[b])

  The Monitor Communications for Attacks (SI.L2-3.14.6[b]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on expanding monitoring capabilities to detect and respond to cyber attacks against an organization's communication channels, with a specific emphasis on identifying and mitigating insider threats.

• Monitor Communications for Attacks (SI.L2-3.14.6[c])

  The Monitor Communications for Attacks (SI.L2-3.14.6[c]) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on advancing monitoring capabilities to detect and respond to cyber attacks against an organization's communication channels, with a specific emphasis on identifying and mitigating malware-related threats.

• Identify Unauthorized Use (SI.L2-3.14.7)

  The Identify Unauthorized Use (SI.L2-3.14.7) subcontrol within the System and Information Integrity (SI) control of CMMCv2 focuses on establishing measures to detect and respond to unauthorized use of an organization's information systems and communication channels.

• Identify Unauthorized Use (SI.L2-3.14.7[a])

  The "Identify Unauthorized Use" subcontrol, designated as SI.L2-3.14.7[a], focuses on implementing measures to promptly detect and prevent unauthorized access or use of information systems. This subcontrol aims to enhance the organization's ability to identify and respond to unauthorized activities, thereby preserving the integrity and confidentiality of sensitive information.

• Identify Unauthorized Use (SI.L2-3.14.7[b])

  The "Identify Unauthorized Use" subcontrol, specified as SI.L2-3.14.7[b], is designed to establish measures that promptly detect and prevent unauthorized access or use of information systems. This subcontrol enhances the organization's ability to identify and respond to unauthorized activities, contributing to the overall security posture by preserving the integrity and confidentiality of sensitive information.

The System and Communications Protection (SC) control within the CMMCv2 framework is designed to establish safeguards for protecting information systems and the communication channels used to transmit sensitive data. This control focuses on implementing measures to ensure the confidentiality, integrity, and availability of information during storage, processing, and transmission.

• Boundary Protection (SC.L1-3.13.1)

  The Boundary Protection subcontrol aims to establish and maintain effective boundary protections for systems and communications. This includes defining and enforcing access control policies and procedures to ensure that only authorized entities can access and communicate with organizational systems.

• Boundary Protection (SC.L1-3.13.1[a])

  The SC.L1-3.13.1[a] subcontrol under System and Communications Protection (SC) accentuates the importance of implementing boundary protections by specifically addressing the requirement for employing encryption for data in transit. This measure ensures that sensitive information traversing organizational boundaries remains confidential and secure against unauthorized access and interception.

• Boundary Protection (SC.L1-3.13.1[b])

  The SC.L1-3.13.1[b] subcontrol within System and Communications Protection (SC) centers on the necessity of implementing robust boundary protection measures by focusing on the detection and prevention of unauthorized physical connections at organizational boundaries. This ensures that only authorized connections are established, reducing the risk of unauthorized access and potential compromise.

• Boundary Protection (SC.L1-3.13.1[c])

  The SC.L1-3.13.1(c) subcontrol within the System and Communications Protection (SC) domain underscores the importance of implementing measures to detect and prevent the introduction of unauthorized software at organizational boundaries. This includes vigilant monitoring, control mechanisms, and security protocols to safeguard against the introduction of malicious code or unauthorized applications.

• Boundary Protection (SC.L1-3.13.1[d])

  The SC.L1-3.13.1(d) subcontrol within the System and Communications Protection (SC) domain addresses the importance of implementing measures to control the flow of information at organizational boundaries. Specifically, it focuses on ensuring that only authorized data transfers occur, preventing unauthorized exfiltration and ensuring the integrity and confidentiality of sensitive information.

• Boundary Protection (SC.L1-3.13.1[e])

  The SC.L1-3.13.1(e) subcontrol within the System and Communications Protection (SC) domain emphasizes the necessity of implementing measures to ensure the integrity of data entering and exiting organizational boundaries. This involves implementing safeguards to prevent unauthorized modification, corruption, or introduction of malicious content during data transfers.

• Boundary Protection (SC.L1-3.13.1[f])

  The SC.L1-3.13.1(f) subcontrol within the System and Communications Protection (SC) domain highlights the importance of implementing measures to monitor and control the use of mobile devices and removable media at organizational boundaries. This includes safeguards to prevent unauthorized connections and data transfers through these devices, ensuring the security of information systems.

• Boundary Protection (SC.L1-3.13.1[g])

  The Boundary Protection subcontrol (SC.L1-3.13.1[g]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on establishing and enforcing physical and logical access restrictions to protect sensitive information within organizational boundaries. This subcontrol is designed to prevent unauthorized access and data exfiltration at the network boundaries.

• Boundary Protection (SC.L1-3.13.1[h])

  The Boundary Protection subcontrol (SC.L1-3.13.1[h]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on establishing and enforcing physical and logical access restrictions to protect sensitive information within organizational boundaries. This subcontrol emphasizes the need for organizations to implement measures that prevent unauthorized physical access and tampering with system boundaries.

• Security Engineering (SC.L2-3.13.2)

  The Security Engineering subcontrol (SC.L2-3.13.2) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on the application of secure engineering principles to design, develop, and implement information systems that effectively protect against advanced persistent threats and other sophisticated adversaries. This subcontrol emphasizes the importance of integrating security measures throughout the system development life cycle.

• Security Engineering (SC.L2-3.13.2[a])

  The Security Engineering subcontrol (SC.L2-3.13.2[a]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on incorporating security considerations into the system engineering processes. Specifically, this subcontrol emphasizes the importance of conducting a threat analysis and implementing security controls during the system design and development phases to ensure a proactive and robust security posture.

• Security Engineering (SC.L2-3.13.2[b])

  The Security Engineering subcontrol (SC.L2-3.13.2[b]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on ensuring that security measures are effectively integrated into the development and implementation of information systems. Specifically, this subcontrol emphasizes the importance of conducting secure coding practices and implementing security controls to mitigate vulnerabilities in the developed software.

• Security Engineering (SC.L2-3.13.2[c])

  The Security Engineering subcontrol (SC.L2-3.13.2[c]) within the System and Communications Protection (SC) domain of CMMC Version 2 emphasizes the need to establish and maintain a secure engineering process. Specifically, this subcontrol focuses on the integration of security measures into the development and implementation of information systems, with an emphasis on resilience against sophisticated cyber threats.

• Security Engineering (SC.L2-3.13.2[d])

  The Security Engineering subcontrol (SC.L2-3.13.2[d]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on implementing security measures that are tailored to the organization's specific threats and vulnerabilities. This subcontrol emphasizes the customization of security controls and practices to address the unique risks faced by the organization.

• Security Engineering (SC.L2-3.13.2[e])

  The Security Engineering subcontrol (SC.L2-3.13.2[e]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on incorporating resilience and survivability measures into the organization's information systems. This subcontrol emphasizes the need to design systems that can withstand and recover from sophisticated cyber threats and disruptions.

• Security Engineering (SC.L2-3.13.2[f])

  The Security Engineering subcontrol (SC.L2-3.13.2[f]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on implementing security measures to ensure the integrity and trustworthiness of information systems. This subcontrol emphasizes the importance of secure configurations and the verification of the integrity of system components.

• Role Separation (SC.L2-3.13.3)

  The Role Separation subcontrol (SC.L2-3.13.3) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on mitigating the risk of unauthorized access by enforcing separation of duties and responsibilities. This subcontrol emphasizes the importance of limiting access to sensitive information and critical system functions to only those individuals who require such access to perform their job functions.

• Role Separation (SC.L2-3.13.3[a])

  The Role Separation subcontrol (SC.L2-3.13.3[a]) within the System and Communications Protection (SC) domain of CMMC Version 2 focuses on implementing role-based access controls to ensure that individuals have access only to the information and system functions necessary for their specific job roles. This subcontrol aims to prevent unauthorized access, reduce the risk of conflicts of interest, and enhance overall cybersecurity posture.

• Role Separation (SC.L2-3.13.3[b])

  The Role Separation subcontrol (SC.L2-3.13.3[b]) within the System and Communications Protection (SC) domain of CMMC Version 2 emphasizes the need to enforce segregation of duties to reduce the risk of unauthorized access and potential conflicts of interest. This subcontrol aims to enhance cybersecurity by ensuring that critical tasks require the involvement of multiple individuals, preventing a single point of failure.

• Role Separation (SC.L2-3.13.3[c])

  The Role Separation subcontrol (SC.L2-3.13.3[c]) within the System and Communications Protection (SC) domain of CMMC Version 2 emphasizes the importance of maintaining clear segregation of duties to prevent unauthorized access and ensure accountability. This subcontrol focuses on establishing and enforcing roles within the organization to reduce the risk of conflicts of interest and enhance overall cybersecurity.

• Shared Resource Control (SC.L2-3.13.4)

  Shared Resource Control is a critical aspect of securing information systems, ensuring that resources accessed and utilized by multiple users or processes are protected against unauthorized access and potential security breaches. This control aims to establish and enforce measures that govern the use and sharing of resources, preventing compromise and ensuring the confidentiality, integrity, and availability of sensitive information.

• Shared Resource Control (SC.L2-3.13.4[a])

  This subcontrol addresses the need to establish and enforce controls over shared resources within the system to prevent unauthorized access and ensure the confidentiality and integrity of sensitive information. Shared resources may include databases, file systems, and other components that are accessed and utilized by multiple users or processes.

• Public-Access System Separation (SC.L1-3.13.5)

  Public-Access System Separation addresses the need to prevent unauthorized access to systems that are accessible to the public. This control aims to establish clear separation between systems designed for public access and those containing sensitive information, reducing the risk of unauthorized disclosure or compromise of critical data.

• Public-Access System Separation (SC.L1-3.13.5[a])

  Public-Access System Separation (SC.L1-3.13.5(a)) addresses the specific requirement to ensure a clear separation between systems accessible to the public and internal networks. This control emphasizes the importance of implementing measures to prevent unauthorized access to internal resources through public-facing systems, thereby protecting sensitive information from compromise.

• Public-Access System Separation (SC.L1-3.13.5[b])

  Public-Access System Separation (SC.L1-3.13.5(b)) is a control aimed at ensuring the secure separation of systems accessible to the public from internal networks. This control focuses on preventing unauthorized access to sensitive information by implementing measures such as network segmentation, access controls, and monitoring mechanisms specific to public-facing systems.

• Network Communication by Exception (SC.L2-3.13.6)

  Network Communication by Exception (SC.L2-3.13.6) is a control that focuses on restricting network communications to only those services and ports that are necessary for the organization's mission and business functions. This control helps minimize the attack surface and reduce the risk of unauthorized access and data exfiltration by limiting the network communication channels to only essential services.

• Network Communication by Exception (SC.L2-3.13.6[a])

  Network Communication by Exception (SC.L2-3.13.6(a)) builds on the broader control by emphasizing the need for well-defined exceptions when allowing network communications. This control requires organizations to implement a default-deny rule for network communications and only permit exceptions based on specific business functions and mission-critical processes.

• Network Communication by Exception (SC.L2-3.13.6[b])

  Network Communication by Exception (SC.L2-3.13.6(b)) is an advanced control within the CMMCv2 framework, building on the principles of controlling network communications based on business needs. This subcontrol emphasizes the need for a more granular approach to exception management, allowing organizations to define specific criteria for exceptions beyond basic business functions.

• Split Tunneling (SC.L2-3.13.7)

  Split Tunneling (SC.L2-3.13.7) is a control that addresses the secure configuration of network connections, particularly focusing on scenarios where a user's internet traffic is divided ("split") between the organization's secure network and an external network, such as the internet. The control aims to mitigate potential security risks associated with split tunneling configurations.

• Split Tunneling (SC.L2-3.13.7[a])

  Split Tunneling (SC.L2-3.13.7(a)) is a control that focuses on ensuring secure configurations for network connections, specifically addressing scenarios where users' internet traffic is divided ("split") between the organization's secure network and an external network. The control aims to minimize security risks associated with split tunneling while allowing for efficient network utilization.

• Data in Transit (SC.L2-3.13.8)

  Data in Transit (SC.L2-3.13.8) is a control that focuses on securing the transmission of sensitive data over networks. This control is designed to protect information as it travels between systems and endpoints, ensuring the confidentiality and integrity of the data during transit.

• Data in Transit (SC.L2-3.13.8[a])

  Data in Transit Encryption (SC.L2-3.13.8(a)) is a subcontrol that specifically addresses the protection of sensitive data as it traverses networks. This subcontrol focuses on implementing encryption mechanisms to ensure the confidentiality and integrity of data during its transmission between systems, devices, or endpoints.

• Data in Transit (SC.L2-3.13.8[b])

  Data in Transit Segmentation (SC.L2-3.13.8(b)) is a subcontrol that focuses on enhancing the security of data during its transmission across networks. This subcontrol emphasizes the importance of segmenting or isolating sensitive data flows to minimize exposure and potential risks associated with unauthorized access or interception.

• Data in Transit (SC.L2-3.13.8[c])

  Data in Transit Monitoring (SC.L2-3.13.8(c)) is a subcontrol that focuses on actively monitoring the transmission of data across networks. This subcontrol emphasizes the importance of real-time monitoring to detect and respond to anomalous activities, potential security incidents, or unauthorized access during data transmission.

• Connections Termination (SC.L2-3.13.9)

  Connections Termination (SC.L2-3.13.9) is a subcontrol that focuses on the secure termination of network connections. This subcontrol emphasizes the importance of ensuring that network connections are terminated in a controlled and secure manner to prevent unauthorized access, data leakage, or potential security risks.

• Connections Termination (SC.L2-3.13.9[a])

  User-Initiated Connections Termination (SC.L2-3.13.9(a)) is a subcontrol that emphasizes secure procedures for terminating network connections initiated by users. This subcontrol recognizes the importance of providing users with the knowledge and tools to terminate connections in a controlled and secure manner.

• Connections Termination (SC.L2-3.13.9[b])

  Automated Connections Termination (SC.L2-3.13.9(b)) is a subcontrol that focuses on the secure termination of network connections through automated processes. This subcontrol recognizes the significance of implementing controls and mechanisms to automatically terminate connections in a controlled and secure manner, minimizing the risk of unauthorized access or data exposure.

• Connections Termination (SC.L2-3.13.9[c])

  Monitoring and Logging of Connections Termination (SC.L2-3.13.9(c)) is a subcontrol that emphasizes the importance of implementing robust monitoring and logging mechanisms for tracking the termination of network connections. This subcontrol recognizes the value of detailed logs and monitoring data in detecting and responding to anomalous activities, potential security incidents, or unauthorized terminations.

• Key Management (SC.L2-3.13.10)

  Key Management (SC.L2-3.13.10) is a subcontrol that focuses on establishing and maintaining robust key management practices to ensure the security of cryptographic keys used for encryption, decryption, and digital signatures. This subcontrol encompasses the lifecycle of cryptographic keys, from generation and distribution to storage, rotation, and disposal.

• Key Management (SC.L2-3.13.10[a])

  Key Generation Procedures (SC.L2-3.13.10(a)) is a specific subcontrol under the broader Key Management control in the CMMCv2 framework. It focuses on defining and implementing secure procedures for generating cryptographic keys. The effectiveness of cryptographic systems heavily relies on the randomness and unpredictability of key generation, making this subcontrol critical for ensuring the confidentiality and integrity of sensitive information.

• Key Management (SC.L2-3.13.10[b])

  Distribution Controls (SC.L2-3.13.10(b)) is a specific subcontrol under the broader Key Management control in the CMMCv2 framework. This subcontrol focuses on implementing secure controls for the distribution of cryptographic keys. The secure distribution of keys is crucial to ensure that they reach authorized entities without interception or tampering, thereby maintaining the confidentiality and integrity of communication.

• CUI Encryption (SC.L2-3.13.11)

  CUI Encryption (SC.L2-3.13.11) is a subcontrol within the System and Communications Protection domain of the CMMCv2 framework. It specifically focuses on the protection of Controlled Unclassified Information (CUI) through encryption. The subcontrol aims to safeguard sensitive information from unauthorized access and disclosure by ensuring that CUI is encrypted when stored, processed, or transmitted.

• CUI Encryption (SC.L2-3.13.11[a])

  CUI Classification for Encryption (SC.L2-3.13.11(a)) is a specific subcontrol under the broader CUI Encryption control in the CMMCv2 framework. This subcontrol emphasizes the importance of classifying Controlled Unclassified Information (CUI) based on sensitivity levels to determine the appropriate encryption measures. By categorizing CUI, organizations can apply encryption controls commensurate with the level of risk associated with the information.

• Collaborative Device Control (SC.L2-3.13.12)

  Collaborative Device Control is a subcontrol under System and Communications Protection (SC) in CMMCv2. It aims to manage and secure collaborative devices to ensure the confidentiality, integrity, and availability of sensitive information within a collaborative environment.

• Collaborative Device Control (SC.L2-3.13.12[a])

  Collaborative Device Control (SC.L2-3.13.12[a]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. It specifically addresses the secure management and usage of collaborative devices to ensure the confidentiality, integrity, and availability of sensitive information in collaborative environments.

• Collaborative Device Control (SC.L2-3.13.12[b])

  Collaborative Device Control (SC.L2-3.13.12[b]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This subcontrol addresses the secure configuration and management of collaborative devices to ensure the confidentiality, integrity, and availability of sensitive information within collaborative environments.

• Collaborative Device Control (SC.L2-3.13.12[c])

  Collaborative Device Control (SC.L2-3.13.12[c]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This subcontrol focuses on monitoring and auditing the usage of collaborative devices to ensure the confidentiality, integrity, and availability of sensitive information within collaborative environments.

• Mobile Code (SC.L2-3.13.13)

  Mobile Code (SC.L2-3.13.13) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control is designed to manage the risks associated with the use of mobile code, which includes software or scripts that are transmitted, received, or executed on information systems.

• Mobile Code (SC.L2-3.13.13[a])

  Mobile Code (SC.L2-3.13.13[a]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on the secure development and deployment of mobile code, addressing the risks associated with externally received or executed code on information systems.

• Mobile Code (SC.L2-3.13.13[b])

  Mobile Code (SC.L2-3.13.13[b]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on managing and securing the risks associated with the deployment and execution of mobile code on information systems.

• Voice over Internet Protocol (SC.L2-3.13.14)

  Voice over Internet Protocol (VoIP) (SC.L2-3.13.14) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on securing the use of Voice over Internet Protocol services to protect the confidentiality, integrity, and availability of voice communications over the network.

• Voice over Internet Protocol (SC.L2-3.13.14[a])

  Voice over Internet Protocol (VoIP) Encryption (SC.L2-3.13.14[a]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control specifically addresses the need for encrypting VoIP communications to protect the confidentiality and integrity of voice data transmitted over IP networks.

• Voice over Internet Protocol (SC.L2-3.13.14[b])

  Voice over Internet Protocol (VoIP) Access Controls (SC.L2-3.13.14[b]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on implementing access controls for VoIP systems to prevent unauthorized access and ensure the integrity of voice communications.

• Communications Authenticity (SC.L2-3.13.15)

  Communications Authenticity (SC.L2-3.13.15) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control is designed to ensure the authenticity of communications, verifying the integrity of data exchanged over communication channels.

• Communications Authenticity (SC.L2-3.13.15[a]),Security Control Assessment (CA.L2-3.12.1[a])

  Communications Authenticity (SC.L2-3.13.15[a]) focuses on the cryptographic aspects of authenticating communications. This control aims to ensure the integrity and authenticity of data exchanged over communication channels through the implementation of cryptographic techniques.
  
  Security Control Assessment (CA.L2-3.12.1[a]) involves the development and management of a Plan of Action and Milestones (POA&M) to address security control assessment findings and deficiencies.

• Data at Rest (SC.L2-3.13.16)

  Data at Rest (SC.L2-3.13.16) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on protecting data stored in systems and databases when it is not actively being used or transferred. It aims to prevent unauthorized access or disclosure of sensitive information.

• Data at Rest (SC.L2-3.13.16[a])

  Data at Rest - Encryption (SC.L2-3.13.16[a]) is a subcontrol within the System and Communications Protection (SC) domain of CMMCv2. This control focuses on securing data stored in systems and databases through the use of encryption techniques.

• Security Control Assessment (CA.L2-3.12.1)

  Security Control Assessment (CA.L2-3.12.1) is a subcontrol within the Security Assessment (CA) domain of CMMCv2. This control focuses on conducting assessments to evaluate the effectiveness of security controls in place, identify vulnerabilities, and ensure ongoing compliance with security requirements.

The Security Assessment (CA.A) control within the CMMCv2 framework is designed to evaluate and validate the effectiveness of an organization's cybersecurity measures. This control encompasses various activities, including vulnerability assessments, penetration testing, and security reviews, to identify weaknesses, validate controls, and ensure compliance with cybersecurity requirements.

• Security Control Assessment (CA.L2-3.12.1[a])

  This subcontrol focuses on conducting a thorough Security Control Assessment (SCA) to ensure the effectiveness of implemented security controls and their alignment with organizational requirements. Specifically, CA.L2-3.12.1[a] addresses the assessment of security controls related to the management of cryptographic keys.

• Security Control Assessment (CA.L2-3.12.1[b])

  Security Control Assessment - Continuous Monitoring (CA.L2-3.12.1[b]) is a subcontrol within the Security Assessment (CA) domain of CMMCv2. This control focuses on establishing continuous monitoring practices to regularly assess the effectiveness of security controls and detect changes in the security posture of an organization.

• Plan of Action (CA.L2-3.12.2)

  Plan of Action (CA.L2-3.12.2) is a subcontrol within the Security Assessment (CA) domain of CMMCv2. This control focuses on the development and management of a Plan of Action and Milestones (POA&M) to address security assessment findings and deficiencies.

• Plan of Action (CA.L2-3.12.2[a])

  This control focuses on the establishment and maintenance of a Plan of Action (POA) for identified security vulnerabilities and deficiencies discovered during security assessments (SAs). The objective is to ensure that organizations systematically address and mitigate identified weaknesses, enhancing overall security posture.

• Plan of Action (CA.L2-3.12.2[b])

  Control CA.L2-3.12.2[b] emphasizes the need for organizations to establish and maintain a comprehensive Plan of Action (POA) specifically for deficiencies identified during security assessments (SAs). This control ensures that organizations systematically address and mitigate security weaknesses to enhance their overall cybersecurity posture.

• Plan of Action (CA.L2-3.12.2[c])

  Control CA.L2-3.12.2[c] focuses on the establishment and maintenance of a comprehensive Plan of Action (POA) specifically tailored for deficiencies identified during security assessments (SAs). This control ensures that organizations have a systematic approach to address and mitigate security weaknesses, thereby enhancing their overall cybersecurity resilience.

• Security Control Monitoring (CA.L2-3.12.3)

  Control CA.L2-3.12.3 focuses on the continuous monitoring of security controls to ensure their effectiveness and responsiveness to emerging threats. This subcontrol emphasizes real-time observation, analysis, and response to security events to enhance an organization's ability to detect, prevent, and mitigate potential security incidents.

• Security Control Monitoring (CA.L2-3.12.3[a])

  Control CA.L2-3.12.3[a] underscores the importance of continuous monitoring of security controls to ensure their effectiveness against emerging threats. This subcontrol emphasizes real-time observation, analysis, and response to security events, facilitating the identification, prevention, and mitigation of potential security incidents.

• System Security Plan (CA.L2-3.12.4)

  Control CA.L2-3.12.4 focuses on the creation and maintenance of a robust System Security Plan (SSP) as an essential component of the Security Assessment process. The SSP serves as a comprehensive document outlining the security controls and measures in place, aiding in the assessment and continuous improvement of an organization's cybersecurity posture.

• System Security Plan (CA.L2-3.12.4[a])

  Control CA.L2-3.12.4[a] emphasizes the importance of a well-structured and regularly updated System Security Plan (SSP) as a foundational element in the Security Assessment process. The SSP serves as a comprehensive document detailing an organization's security controls, policies, and procedures, facilitating effective security assessment and risk management.

• System Security Plan (CA.L2-3.12.4[b])

  Control CA.L2-3.12.4[b] highlights the importance of a thorough and regularly updated System Security Plan (SSP) as a critical component of the Security Assessment process. The SSP serves as a comprehensive document detailing an organization's security controls, policies, and procedures, providing a foundation for effective security assessments and risk management.

• System Security Plan (CA.L2-3.12.4[c])

  Control CA.L2-3.12.4[c] underscores the importance of a comprehensive and regularly updated System Security Plan (SSP) within the Security Assessment process. The SSP serves as a foundational document, detailing an organization's security controls, policies, and procedures. This subcontrol emphasizes the ongoing relevance and accuracy of the SSP for effective security assessments and risk management.

• System Security Plan (CA.L2-3.12.4[d])

  Control CA.L2-3.12.4[d] underscores the critical need for a comprehensive and regularly updated System Security Plan (SSP) as an integral part of the Security Assessment process. The SSP serves as a foundational document, articulating an organization's security controls, policies, and procedures. This subcontrol specifically emphasizes the importance of aligning the SSP with organizational risk management strategies.

• System Security Plan (CA.L2-3.12.4[e])

  Control CA.L2-3.12.4[e] emphasizes the need for a comprehensive and regularly updated System Security Plan (SSP) as an integral component of the Security Assessment process. The SSP serves as a foundational document, articulating an organization's security controls, policies, and procedures. This subcontrol specifically focuses on ensuring the alignment of the SSP with the organization's incident response capabilities.

• System Security Plan (CA.L2-3.12.4[f])

  Control CA.L2-3.12.4[f] underscores the importance of a comprehensive and regularly updated System Security Plan (SSP) as an integral part of the Security Assessment process. The SSP serves as a foundational document, articulating an organization's security controls, policies, and procedures. This subcontrol specifically focuses on ensuring the alignment of the SSP with the organization's configuration management processes.

• System Security Plan (CA.L2-3.12.4[g])

  CA.L2-3.12.4[g] focuses on the development and maintenance of a System Security Plan (SSP) that provides a comprehensive overview of the security posture of an information system. The SSP serves as a crucial document outlining security controls, policies, and procedures implemented to safeguard sensitive information.

• System Security Plan (CA.L2-3.12.4[h])

  CA.L2-3.12.4[h] emphasizes the importance of maintaining an up-to-date and comprehensive System Security Plan (SSP) to reflect changes in the information system's security posture. This subcontrol focuses on ensuring that the SSP accurately represents the current state of security controls, policies, and procedures.

The Risk Assessment (RA.A) control within the CMMCv2 framework focuses on systematically identifying, analyzing, and evaluating cybersecurity risks to the organization's information systems and sensitive data. This control aims to inform decision-making processes, prioritize risk mitigation efforts, and enhance the overall resilience of the organization against cyber threats.

• Risk Assessments (RA.L2-3.11.1)

  Control RA.L2-3.11.1 focuses on conducting regular and comprehensive risk assessments as part of the Risk Management process. The goal is to identify, evaluate, and prioritize risks to the organization's information systems and sensitive data. This subcontrol is essential for proactively managing and mitigating potential threats and vulnerabilities

• Risk Assessments (RA.L2-3.11.1[a])

  Control RA.L2-3.11.1[a] emphasizes the importance of conducting specific risk assessments to identify, evaluate, and prioritize risks to the organization's information systems and sensitive data. This subcontrol ensures a focused and targeted approach to risk management tailored to the organization's unique context and requirements.

• Risk Assessments (RA.L2-3.11.1[b])

  Control RA.L2-3.11.1[b] emphasizes the need for organizations to conduct periodic and comprehensive risk assessments. The objective is to systematically identify, evaluate, and prioritize risks to the organization's information systems and sensitive data. This subcontrol ensures a proactive and ongoing approach to risk management.

• Vulnerability Scan (RA.L2-3.11.2)

  Control RA.L2-3.11.2 emphasizes the importance of conducting regular vulnerability scans as part of the organization's risk assessment process. Vulnerability scans are instrumental in identifying weaknesses in information systems, providing critical insights for risk mitigation and enhancing overall cybersecurity resilience.

• Vulnerability Scan (RA.L2-3.11.2[a])

  Control RA.L2-3.11.2[a] specifically focuses on the requirement for organizations to conduct vulnerability scans using approved tools and methodologies. These scans aim to identify and assess vulnerabilities within the organization's information systems, contributing to a proactive risk assessment and mitigation strategy.

• Vulnerability Scan (RA.L2-3.11.2[b])

  Control RA.L2-3.11.2[b] focuses on the need for organizations to conduct vulnerability scans specifically on components within the supply chain. This subcontrol ensures that organizations extend their vulnerability management practices to assess and mitigate risks associated with third-party vendors and suppliers.

• Vulnerability Scan (RA.L2-3.11.2[c])

  Control RA.L2-3.11.2[c] emphasizes the importance of conducting vulnerability scans specifically on external-facing systems. This subcontrol ensures organizations proactively identify and mitigate vulnerabilities that may be exploited from the external environment, safeguarding against potential cyber threats.

• Vulnerability Scan (RA.L2-3.11.2[d])

  Control RA.L2-3.11.2[d] focuses on the importance of conducting vulnerability scans on mobile devices. This subcontrol ensures organizations proactively identify and mitigate vulnerabilities specific to mobile devices, protecting against potential threats in the mobile environment.

• Vulnerability Scan (RA.L2-3.11.2[e])

  Control RA.L2-3.11.2[e] focuses on the necessity of conducting vulnerability scans on databases. This subcontrol ensures organizations proactively identify and mitigate vulnerabilities specific to databases, safeguarding against potential threats targeting critical data repositories.

• Vulnerability Remediation (RA.L2-3.11.3)

  Control RA.L2-3.11.3 emphasizes the importance of promptly addressing and remediating identified vulnerabilities. This subcontrol ensures organizations have a structured and efficient process for remediating vulnerabilities, reducing the risk of exploitation and enhancing overall cybersecurity resilience.

• Vulnerability Remediation (RA.L2-3.11.3[a])

  Control RA.L2-3.11.3[a] focuses on the need for organizations to establish and implement automated mechanisms for the remediation of identified vulnerabilities. This subcontrol ensures a proactive and efficient approach to addressing vulnerabilities through automated processes, reducing manual intervention and accelerating response times.

• Vulnerability Remediation (RA.L2-3.11.3[b])

  Control RA.L2-3.11.3[b] emphasizes the need for organizations to establish and implement manual remediation processes for identified vulnerabilities. This subcontrol ensures that organizations have a structured and effective approach to addressing vulnerabilities that may require manual intervention, complementing automated remediation efforts.

The Physical Protection (PE) control within the CMMCv2 framework focuses on implementing measures to secure physical assets, facilities, and personnel from unauthorized access, damage, or harm. This control aims to protect critical resources, sensitive information, and ensure the continuity of operations by implementing security measures at physical locations.

• Limit Physical Access (PE.L1-3.10.1)

  Control PE.L1-3.10.1 focuses on restricting and controlling physical access to facilities, systems, and equipment to authorized personnel only. This subcontrol aims to prevent unauthorized individuals from gaining physical access to sensitive areas and assets, thereby enhancing the overall physical security posture of the organization.

• Limit Physical Access (PE.L1-3.10.1[a])

  Control PE.L1-3.10.1[a] focuses on establishing and enforcing access control measures to limit physical access to facilities during non-operational hours. This subcontrol aims to prevent unauthorized entry outside normal working hours, thereby enhancing the overall physical security posture of the organization.

• Limit Physical Access (PE.L1-3.10.1[b])

  Control PE.L1-3.10.1[b] emphasizes the importance of implementing access control measures to limit physical access to facilities based on individuals' roles and responsibilities. This subcontrol ensures that only authorized personnel with specific job functions have access to areas relevant to their duties, enhancing the overall physical security posture of the organization.

• Limit Physical Access (PE.L1-3.10.1[c])

  Control PE.L1-3.10.1[c] emphasizes the need to limit physical access to facilities based on specific operational requirements and conditions. This subcontrol ensures that access controls are adjusted and enforced according to the organization's unique operational scenarios, further enhancing the overall physical security posture.

• Limit Physical Access (PE.L1-3.10.1[d])

  Control PE.L1-3.10.1[d] underscores the importance of limiting physical access to facilities during emergency situations. This subcontrol ensures that organizations have specific measures and protocols in place to restrict access to critical areas under emergency conditions, thereby safeguarding personnel and sensitive assets.

• Monitor Facility (PE.L2-3.10.2)

  Control PE.L2-3.10.2 emphasizes the need to implement monitoring mechanisms to enhance the security posture of physical facilities. This subcontrol focuses on continuous monitoring of facilities through various means to detect and respond to potential security incidents promptly.

• Monitor Facility (PE.L2-3.10.2[a])

  Control PE.L2-3.10.2[a] emphasizes the need for organizations to monitor their facilities using automated tools and technologies. This subcontrol specifically addresses the implementation of automated monitoring solutions to enhance the surveillance capabilities of physical facilities.

• Monitor Facility (PE.L2-3.10.2[b])

  Control PE.L2-3.10.2[b] underscores the importance of monitoring physical facilities through human-driven processes. This subcontrol focuses on the deployment of personnel for continuous surveillance to enhance the security posture of facilities.

• Monitor Facility (PE.L2-3.10.2[c])

  Control PE.L2-3.10.2[c] emphasizes the need for organizations to implement a comprehensive monitoring program for their physical facilities. This subcontrol specifically addresses the coordination and collaboration between internal security personnel and external entities for enhanced facility surveillance.

• Monitor Facility (PE.L2-3.10.2[d])

  Control PE.L2-3.10.2[d] emphasizes the importance of leveraging advanced technologies for facility monitoring. This subcontrol specifically addresses the deployment of cutting-edge technologies, such as video analytics and intrusion detection systems, to enhance the surveillance capabilities of physical facilities.

• Escort Visitors (PE.L1-3.10.3)

  Control PE.L1-3.10.3 emphasizes the need for organizations to implement escort protocols for visitors within controlled areas. This subcontrol is designed to ensure that visitors are accompanied by authorized personnel, enhancing the overall security posture of the facility.

• Escort Visitors (PE.L1-3.10.3[a])

  Control PE.L1-3.10.3[a] emphasizes the need for organizations to implement escort protocols for visitors within controlled areas, specifically addressing the need for personnel to escort visitors possessing a Visitor Authorization Credential.

• Escort Visitors (PE.L1-3.10.3[b])

  Control PE.L1-3.10.3[b] emphasizes the importance of implementing escort protocols for visitors within controlled areas, specifically addressing the need for personnel to escort visitors without a valid Visitor Authorization Credential.

• Physical Access Logs (PE.L1-3.10.4)

  Control PE.L1-3.10.4 emphasizes the importance of maintaining accurate and detailed physical access logs for controlled areas. This subcontrol focuses on the documentation of individuals accessing sensitive locations, enabling organizations to monitor and review physical access activities.

• Physical Access Logs (PE.L1-3.10.4[a])

  Control PE.L1-3.10.4[a] emphasizes the need for organizations to specifically capture and document access details related to individuals entering and exiting controlled areas. This subcontrol ensures that access logs contain comprehensive information to support effective monitoring and review of physical access activities.

• Manage Physical Access (PE.L1-3.10.5)

  Control PE.L1-3.10.5 addresses the need for organizations to establish and implement a comprehensive management framework for controlling physical access to facilities. This subcontrol encompasses policies, procedures, and measures to ensure that individuals have appropriate and authorized access to controlled areas.

• Manage Physical Access (PE.L1-3.10.5[a])

  Control PE.L1-3.10.5[a] specifically addresses the need for organizations to establish and implement access control policies that govern physical access to facilities. This subcontrol emphasizes the importance of defining principles and criteria for granting and managing access privileges.

• Manage Physical Access (PE.L1-3.10.5[b])

  Control PE.L1-3.10.5[b] focuses on the need for organizations to implement access approval procedures, defining a structured process for obtaining and granting approvals for physical access. This subcontrol ensures a controlled and consistent approach to managing access privileges.

• Manage Physical Access (PE.L1-3.10.5[c])

  Control PE.L1-3.10.5[c] addresses the importance of maintaining an Access Control List (ACL) to manage physical access. This subcontrol ensures that organizations establish and maintain a comprehensive list of individuals and roles with authorized access to controlled areas.

• Alternative Work Sites (PE.L2-3.10.6)

  Control PE.L2-3.10.6 addresses the need for organizations to establish and implement physical protection measures when employees work from alternative sites. This subcontrol ensures that security considerations extend to remote work environments, safeguarding sensitive information and resources.

• Alternative Work Sites (PE.L2-3.10.6[a])

  Control PE.L2-3.10.6[a] emphasizes the need for organizations to establish and document specific security requirements for employees working from alternative sites. This subcontrol ensures that security considerations extend to remote work environments, protecting both physical and informational assets.

• Alternative Work Sites (PE.L2-3.10.6[b])

  Control PE.L2-3.10.6[b] emphasizes the implementation of secure access mechanisms for employees working from alternative sites. This subcontrol ensures that organizations establish and document measures to guarantee secure remote access, protecting both physical and informational assets.

The Personnel Security (PS) control within the CMMCv2 framework is designed to establish measures that ensure the trustworthiness and reliability of individuals who have access to sensitive information systems and data. This control addresses the human element of cybersecurity, focusing on screening, training, and managing personnel to minimize the risk of insider threats and unauthorized access.

• Screen Individuals (PS.L2-3.9.1)

  Control PS.L2-3.9.1 emphasizes the importance of screening individuals before granting them access to sensitive information or facilities. This subcontrol ensures that organizations implement a comprehensive screening process to assess the trustworthiness and suitability of individuals for specific roles.

• Screen Individuals (PS.L2-3.9.1[a])

  Control PS.L2-3.9.1[a] expands on the broader screening process by specifically emphasizing the importance of reviewing and assessing the criminal history of individuals applying for positions that involve access to sensitive information or facilities. This subcontrol ensures that organizations implement a thorough criminal background check as part of the overall screening process.

• Personnel Actions (PS.L2-3.9.2)

  Control PS.L2-3.9.2 emphasizes the importance of implementing measures to manage personnel actions effectively, including hiring, transfer, promotion, and termination. This subcontrol ensures that organizations apply consistent and secure processes for personnel-related actions to mitigate the risk of insider threats and unauthorized access.

• Personnel Actions (PS.L2-3.9.2[a])

  Control PS.L2-3.9.2[a] specifies the need to incorporate security considerations into the hiring process within the broader personnel action lifecycle. It emphasizes establishing and maintaining secure procedures for hiring personnel, ensuring that security measures are integrated from the initial stages of employment.

• Personnel Actions (PS.L2-3.9.2[b])

  Control PS.L2-3.9.2[b] emphasizes the need for organizations to integrate security considerations into the transfer process within the personnel action lifecycle. This subcontrol aims to establish and maintain secure procedures for personnel transfers, ensuring that security measures accompany employees moving within the organization.

• Personnel Actions (PS.L2-3.9.2[c])

  Control PS.L2-3.9.2[c] underscores the significance of incorporating security considerations into the promotion process within the personnel action lifecycle. This subcontrol aims to establish and maintain secure procedures for personnel promotions, ensuring that security measures accompany employees advancing within the organization.

The Media Protection (MP.A) control within the CMMCv2 framework is designed to safeguard both physical and digital media containing sensitive information. This control focuses on preventing unauthorized access, disclosure, alteration, or destruction of data stored on various types of media, including physical devices, removable storage, and digital repositories.

• Media Access (MP.L2-3.8.2),Media Protection (MP.L2-3.8.1)

  Control MP.L2-3.8.1 emphasizes the need for organizations to establish and maintain procedures for the protection of media containing Controlled Unclassified Information (CUI). This includes safeguarding physical and digital media from unauthorized access and ensuring the integrity and confidentiality of the information stored on such media.
  Control MP.L2-3.8.2 focuses on controlling access to media containing Controlled Unclassified Information (CUI). This subcontrol ensures that only authorized individuals have access to sensitive information stored on media and that access is granted based on established security policies.

• Media Protection (MP.L2-3.8.1)

  Control MP.L2-3.8.1 underscores the importance of safeguarding media containing Controlled Unclassified Information (CUI). This subcontrol aims to establish and maintain procedures for the protection of both physical and digital media, ensuring the confidentiality, integrity, and availability of sensitive information.

• Media Protection (MP.L2-3.8.1[a])

  Control MP.L2-3.8.1[a] emphasizes the secure handling and protection of physical media that contains Controlled Unclassified Information (CUI). This subcontrol is designed to prevent unauthorized access, theft, or tampering with physical storage mediums, such as paper documents, external drives, and other tangible forms of information storage.

• Media Protection (MP.L2-3.8.1[b])

  The Media Protection control within CMMC focuses on safeguarding and managing media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Subcontrol MP.L2-3.8.1[b] specifically addresses the sanitization or destruction of media to prevent unauthorized access to sensitive information.

• Media Protection (MP.L2-3.8.1[c])

  The Media Protection control within CMMC is designed to secure and manage media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Subcontrol MP.L2-3.8.1[c] specifically addresses the establishment and maintenance of access controls for media, ensuring that only authorized individuals have the ability to access sensitive information.

• Media Protection (MP.L2-3.8.1[d])

  The Media Protection control within CMMC focuses on safeguarding and managing media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Subcontrol MP.L2-3.8.1[d] specifically addresses the protection of media during transport, ensuring that adequate measures are in place to prevent unauthorized access, interception, or tampering during transit.

• Media Protection (MP.L2-3.8.1[e])

  MP.L2-3.8.1[e] focuses on implementing media protection measures to safeguard information stored on physical and electronic media. This subcontrol aims to prevent unauthorized access, disclosure, and alteration of sensitive information during its life cycle, from creation to disposal.

• Media Access (MP.L2-3.8.2)

  The Media Access subcontrol within the Media Protection control of CMMC focuses on controlling access to media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). MP.L2-3.8.2 aims to ensure that only authorized individuals can access and interact with media to prevent unauthorized disclosure, modification, or destruction of sensitive information.

• Media Access (MP.L2-3.8.2[a])

  The Media Access subcontrol MP.L2-3.8.2[a] within the Media Protection control of CMMC focuses on the establishment of procedures for granting and managing access to media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This includes defining the criteria for granting access, maintaining an access list, and ensuring that access is authorized based on the principle of least privilege.

• Media Disposal (MP.L1-3.8.3)

  The Media Disposal subcontrol MP.L1-3.8.3 within the Media Protection control of CMMC addresses the secure and proper disposal of media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This involves establishing and executing procedures to ensure that media is disposed of in a manner that prevents unauthorized access to sensitive information.

• Media Disposal (MP.L1-3.8.3[a])

  The Media Disposal subcontrol MP.L1-3.8.3[a] within the Media Protection control of CMMC specifically addresses the secure disposal of physical media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It focuses on establishing procedures for the secure and irreversible destruction of physical media to prevent unauthorized access to sensitive information.

• Media Disposal (MP.L1-3.8.3[b])

  The Media Disposal subcontrol MP.L1-3.8.3[b] within the Media Protection control of CMMC focuses on the secure disposal of digital media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It emphasizes the need for organizations to establish and implement procedures to ensure the secure and irreversible erasure or destruction of digital media, preventing unauthorized access to sensitive information.

• Media Markings (MP.L2-3.8.4)

  The Media Markings subcontrol MP.L2-3.8.4 within the Media Protection control of CMMC focuses on implementing proper markings on media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It involves clearly indicating the sensitivity and handling requirements of the information on both physical and digital media to prevent mishandling and unauthorized disclosure.

• Media Markings (MP.L2-3.8.4[a])

  The Media Markings subcontrol MP.L2-3.8.4[a] within the Media Protection control of CMMC focuses on implementing specific markings on media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to indicate its sensitivity level. This subcontrol emphasizes the importance of consistent and standardized markings to communicate the security requirements associated with the information on both physical and digital media.

• Media Markings (MP.L2-3.8.4[b])

  The Media Markings subcontrol MP.L2-3.8.4[b] within the Media Protection control of CMMC focuses on implementing markings on media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to convey its sensitivity level and the handling requirements. This subcontrol emphasizes the need for organizations to provide specific markings that address the unique characteristics and risks associated with the information on both physical and digital media.

• Media Accountability (MP.L2-3.8.5)

  The Media Accountability subcontrol MP.L2-3.8.5 within the Media Protection control of CMMC focuses on establishing mechanisms to track and maintain accountability for media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol emphasizes the need for organizations to implement processes that ensure visibility into the creation, distribution, and destruction of sensitive information stored on both physical and digital media.

• Media Accountability (MP.L2-3.8.5[a])

  The Media Accountability subcontrol MP.L2-3.8.5[a] within the Media Protection control of CMMC emphasizes the establishment of specific tracking mechanisms to ensure accountability for media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol focuses on implementing processes that track the creation, distribution, access, and disposal of sensitive information on both physical and digital media.

• Media Accountability (MP.L2-3.8.5[b])

  The Media Accountability subcontrol MP.L2-3.8.5[b] within the Media Protection control of CMMC focuses on enhancing accountability mechanisms by specifically addressing the tracking of actions related to media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol emphasizes the need for organizations to implement detailed tracking processes that cover the entire lifecycle of sensitive information on both physical and digital media.

• Portable Storage Encryption (MP.L2-3.8.6)

  The Portable Storage Encryption subcontrol MP.L2-3.8.6 within the Media Protection control of CMMC focuses on securing sensitive information stored on portable storage devices, such as USB drives and external hard drives, through the implementation of encryption. This subcontrol aims to prevent unauthorized access to Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in the event of loss or theft of portable storage media.

• Portable Storage Encryption (MP.L2-3.8.6[a])

  The Portable Storage Encryption subcontrol MP.L2-3.8.6[a] within the Media Protection control of CMMC focuses on enhancing the security of sensitive information stored on portable storage devices, such as USB drives and external hard drives. This subcontrol specifically emphasizes the use of encryption as a safeguard to protect Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in case of potential loss or theft of portable storage media.

• Removable Media (MP.L2-3.8.7)

  The Removable Media subcontrol MP.L2-3.8.7 within the Media Protection control of CMMC addresses the secure usage of removable media devices, such as USB drives and external hard drives, to prevent unauthorized access and protect Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol aims to establish measures that mitigate risks associated with the use of removable media, including data loss, theft, or introduction of malicious software.

• Removable Media (MP.L2-3.8.7[a])

  The Removable Media subcontrol MP.L2-3.8.7[a] within the Media Protection control of CMMC addresses the secure usage of removable media devices, such as USB drives and external hard drives. Specifically, this subcontrol focuses on the implementation of access controls and scanning mechanisms to mitigate the risks associated with the introduction of external media into organizational systems. The goal is to prevent unauthorized access, data breaches, and the potential introduction of malicious software.

• Shared Media (MP.L2-3.8.8)

  The Shared Media subcontrol MP.L2-3.8.8 within the Media Protection control of CMMC addresses the secure handling and protection of shared media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol emphasizes the importance of implementing measures to control and monitor the use of media that is accessible by multiple individuals or systems to prevent unauthorized access and protect sensitive information.

• Shared Media (MP.L2-3.8.8[a])

  The Shared Media subcontrol MP.L2-3.8.8[a] within the Media Protection control of CMMC focuses on enhancing the security of shared media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol specifically addresses the need to implement role-based access controls and monitoring mechanisms to ensure the confidentiality and integrity of sensitive information stored on shared media.

• Protect Backups (MP.L2-3.8.9)

  The Protect Backups subcontrol MP.L2-3.8.9 within the Media Protection control of CMMC addresses the secure handling and protection of backups containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol emphasizes the importance of implementing measures to safeguard backup copies, ensuring their integrity, availability, and protection against unauthorized access.

• Protect Backups (MP.L2-3.8.9[a])

  The Protect Backups subcontrol MP.L2-3.8.9[a] within the Media Protection control of CMMC focuses on enhancing the security of backup copies containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This subcontrol specifically addresses the need to implement encryption, access controls, and secure storage practices to safeguard the integrity and confidentiality of backup data.

The Maintenance (MA) control within the CMMCv2 framework focuses on establishing processes and procedures to ensure the ongoing maintenance and integrity of information systems. This control aims to prevent security vulnerabilities and disruptions to operations by addressing regular updates, patches, and the overall health of hardware and software components.

• Perform Maintenance (MA.L2-3.7.1)

  The Perform Maintenance subcontrol MA.L2-3.7.1 within the Maintenance control of CMMC focuses on establishing and executing procedures to ensure the ongoing effectiveness, security, and functionality of organizational information systems. This subcontrol encompasses regular maintenance activities, updates, and configurations to address vulnerabilities, enhance performance, and mitigate potential risks.

• Perform Maintenance (MA.L2-3.7.1[a])

  The Perform Maintenance subcontrol MA.L2-3.7.1[a] within the Maintenance control of CMMC emphasizes the need for organizations to establish and execute procedures specifically focusing on addressing identified vulnerabilities and applying updates to software and firmware. This subcontrol ensures that maintenance activities are conducted systematically and regularly to enhance the security, performance, and resilience of information systems.

• System Maintenance Control (MA.L2-3.7.2)

  The System Maintenance Control subcontrol MA.L2-3.7.2 within the Maintenance control of CMMC focuses on establishing controls to manage and oversee maintenance activities on information systems. This includes implementing processes for planning, scheduling, and conducting system maintenance in a structured manner to minimize disruptions, ensure security, and maintain overall system health.

• System Maintenance Control (MA.L2-3.7.2[a])

  The System Maintenance Control subcontrol MA.L2-3.7.2[a] within the Maintenance control of CMMC emphasizes the need for organizations to establish controls governing the maintenance of information systems. This subcontrol specifically addresses the coordination, planning, and execution of system maintenance activities to ensure that they align with organizational policies, minimize disruptions, and maintain the security and functionality of information systems.

• System Maintenance Control (MA.L2-3.7.2[b])

  The System Maintenance Control subcontrol MA.L2-3.7.2[b] within the Maintenance control of CMMC emphasizes the importance of organizations establishing controls to govern and supervise maintenance activities on information systems. This subcontrol specifically focuses on documentation, ensuring that organizations maintain accurate records of system maintenance activities, changes, and configurations.

• System Maintenance Control (MA.L2-3.7.2[c])

  The System Maintenance Control subcontrol MA.L2-3.7.2[c] within the Maintenance control of CMMC emphasizes the importance of organizations establishing controls to govern and supervise maintenance activities on information systems. This subcontrol specifically focuses on ensuring that maintenance activities are authorized, tracked, and aligned with organizational policies.

• System Maintenance Control (MA.L2-3.7.2[d])

  The System Maintenance Control subcontrol MA.L2-3.7.2[d] within the Maintenance control of CMMC focuses on establishing controls to manage and supervise maintenance activities on information systems. Specifically, this subcontrol emphasizes the need for organizations to review and assess the impact of system maintenance activities, ensuring that they align with organizational policies and do not compromise the security or functionality of information systems.

• Equipment Sanitization (MA.L2-3.7.3)

  The Equipment Sanitization subcontrol MA.L2-3.7.3 within the Maintenance control of CMMC focuses on establishing processes and procedures for the proper and secure sanitization of information system equipment. This includes the removal of sensitive data from equipment that is no longer in use, ensuring that it is prepared for disposal, reuse, or reallocation without compromising the confidentiality of information.

• Equipment Sanitization (MA.L2-3.7.3[a])

  The Equipment Sanitization subcontrol MA.L2-3.7.3[a] within the Maintenance control of CMMC focuses on enhancing the security of information systems by ensuring that sensitive data is effectively removed or destroyed from information system equipment that is being decommissioned, disposed of, or repurposed. This subcontrol emphasizes the need for organizations to employ secure methods for sanitizing equipment.

• Media Inspection (MA.L2-3.7.4)

  The Media Inspection subcontrol MA.L2-3.7.4 within the Maintenance control of CMMC focuses on implementing processes and procedures for inspecting and verifying the physical and logical security of information system media. This subcontrol aims to ensure that media containing sensitive data is regularly examined to detect and mitigate any potential security vulnerabilities or unauthorized access.

• Media Inspection (MA.L2-3.7.4[a])

  The Media Inspection subcontrol MA.L2-3.7.4[a] within the Maintenance control of CMMC focuses on enhancing the security of information systems by implementing regular and systematic inspections of logical media. This subcontrol specifically addresses the need for organizations to examine virtual drives and storage containers to identify and address potential security vulnerabilities or unauthorized access.

• Nonlocal Maintenance (MA.L2-3.7.5)

  The Nonlocal Maintenance subcontrol MA.L2-3.7.5 within the Maintenance control of CMMC focuses on managing and securing maintenance activities performed on information systems from nonlocal locations. This subcontrol aims to mitigate risks associated with remote maintenance, ensuring that proper controls are in place to protect sensitive information and maintain the overall security of the system.

• Nonlocal Maintenance (MA.L2-3.7.5[a])

  The Nonlocal Maintenance subcontrol MA.L2-3.7.5[a] within the Maintenance control of CMMC focuses on enhancing the security of information systems by implementing specific measures to control and monitor nonlocal maintenance activities. This subcontrol addresses the unique challenges and risks associated with maintenance activities performed from remote locations.

• Nonlocal Maintenance (MA.L2-3.7.5[b])

  The Nonlocal Maintenance subcontrol MA.L2-3.7.5[b] within the Maintenance control of CMMC focuses on ensuring the security of information systems during nonlocal maintenance activities. This subcontrol specifically addresses the need to manage and control the use of nonlocal maintenance sessions, emphasizing the importance of monitoring and securing remote access.

• Maintenance Personnel (MA.L2-3.7.6)

  The Maintenance Personnel subcontrol MA.L2-3.7.6 within the Maintenance control of CMMC focuses on managing and controlling the activities of maintenance personnel to ensure the secure and effective maintenance of information systems. This subcontrol addresses the need for organizations to establish measures for selecting, authorizing, and monitoring individuals involved in maintenance tasks.

• Maintenance Personnel (MA.L2-3.7.6[a])

  The Maintenance Personnel subcontrol MA.L2-3.7.6[a] within the Maintenance control of CMMC focuses on ensuring the security and reliability of information systems by specifically addressing the activities of maintenance personnel. This subcontrol emphasizes the need to carefully select, authorize, and monitor individuals involved in maintenance tasks to reduce the risk of unauthorized access and potential security incidents.

The Incident Response (IR) control within the CMMCv2 framework focuses on establishing a robust and effective incident response capability to detect, respond to, and recover from cybersecurity incidents. This control aims to minimize the impact of incidents on information systems, ensure the continuity of operations, and facilitate timely recovery.

• Incident Handling (IR.L2-3.6.1)

  The Incident Handling subcontrol IR.L2-3.6.1 within the Incident Response control of CMMC focuses on establishing effective processes and procedures to promptly detect, report, respond to, and recover from cybersecurity incidents. This subcontrol is essential for minimizing the impact of incidents, restoring normal operations, and preventing future occurrences.

• Incident Handling (IR.L2-3.6.1[a])

  The Incident Handling subcontrol IR.L2-3.6.1[a] within the Incident Response control of CMMC emphasizes the importance of establishing procedures for reporting and documenting cybersecurity incidents. This subcontrol focuses on timely and accurate reporting to ensure a swift and effective response to incidents, contributing to the overall resilience of the organization's information systems.

• Incident Handling (IR.L2-3.6.1[b])

  The Incident Handling subcontrol IR.L2-3.6.1[b] within the Incident Response control of CMMC emphasizes the importance of analyzing and documenting incidents to support effective response and improve future incident handling capabilities. This subcontrol focuses on the collection and analysis of incident-related data to enhance the organization's understanding of cybersecurity threats.

• Incident Handling (IR.L2-3.6.1[c])

  The Incident Handling subcontrol IR.L2-3.6.1[c] within the Incident Response control of CMMC emphasizes the importance of communicating incident information to appropriate parties, both within and external to the organization. This subcontrol focuses on maintaining effective communication channels to facilitate coordinated incident response efforts and share relevant information with stakeholders.

• Incident Handling (IR.L2-3.6.1[d])

  The Incident Handling subcontrol IR.L2-3.6.1[d] within the Incident Response control of CMMC focuses on incorporating lessons learned from incident response activities into the organization's cybersecurity practices. This subcontrol emphasizes continuous improvement by analyzing incidents, identifying areas for enhancement, and updating incident response procedures accordingly.

• Incident Handling (IR.L2-3.6.1[e])

  The Incident Handling subcontrol IR.L2-3.6.1[e] within the Incident Response control of CMMC focuses on providing feedback to individuals and teams involved in incident response activities. This subcontrol emphasizes the importance of recognizing and acknowledging the efforts of incident response personnel, contributing to their professional development and fostering a culture of continuous improvement.

• Incident Handling (IR.L2-3.6.1[f])

  The Incident Handling subcontrol IR.L2-3.6.1[f] within the Incident Response control of CMMC focuses on coordinating with external organizations during incident response activities. This subcontrol emphasizes the importance of establishing relationships, communication channels, and collaborative processes with external entities to enhance incident response capabilities.

• Incident Handling (IR.L2-3.6.1[g])

  The Incident Handling subcontrol IR.L2-3.6.1[g] within the Incident Response control of CMMC emphasizes the importance of maintaining incident documentation and records. This subcontrol focuses on the systematic documentation of incident details, response actions, and outcomes to support post-incident analysis, compliance, and organizational learning.

• Incident Reporting (IR.L2-3.6.2)

  The Incident Reporting subcontrol IR.L2-3.6.2 within the Incident Response control of CMMC focuses on the timely and accurate reporting of cybersecurity incidents to internal and external stakeholders. This subcontrol emphasizes the importance of establishing clear procedures for incident reporting to facilitate a swift and coordinated response.

• Incident Reporting (IR.L2-3.6.2[a])

  The Incident Reporting subcontrol IR.L2-3.6.2[a] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to appropriate internal entities. This subcontrol focuses on establishing clear procedures for internal incident reporting to ensure that relevant teams within the organization are informed promptly.

• Incident Reporting (IR.L2-3.6.2[b])

  The Incident Reporting subcontrol IR.L2-3.6.2[b] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to external entities, including the appropriate authorities, as required by regulations and agreements. This subcontrol focuses on establishing clear procedures for external incident reporting to facilitate compliance and coordination with law enforcement, regulatory bodies, and industry partners.

• Incident Reporting (IR.L2-3.6.2[c])

  The Incident Reporting subcontrol IR.L2-3.6.2[c] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to external entities for the purpose of sharing threat intelligence. This subcontrol focuses on establishing procedures for sharing relevant information with external organizations, fostering collaboration, and contributing to the collective defense against cyber threats.

• Incident Reporting (IR.L2-3.6.2[d])

  The Incident Reporting subcontrol IR.L2-3.6.2[d] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to the appropriate entities for legal and contractual purposes. This subcontrol focuses on establishing procedures for fulfilling legal and contractual obligations related to incident reporting, ensuring organizations meet regulatory requirements and maintain transparency with relevant stakeholders.

• Incident Reporting (IR.L2-3.6.2[e])

  The Incident Reporting subcontrol IR.L2-3.6.2[e] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to appropriate external entities for the purpose of contributing to collective defense efforts. This subcontrol focuses on establishing procedures for sharing relevant threat intelligence with external entities, fostering collaboration, and enhancing the overall cybersecurity posture.

• Incident Reporting (IR.L2-3.6.2[f])

  The Incident Reporting subcontrol IR.L2-3.6.2[f] within the Incident Response control of CMMC emphasizes the importance of reporting cybersecurity incidents to appropriate external entities for the purpose of coordinating response activities. This subcontrol focuses on establishing procedures for sharing incident details with external entities to facilitate collaborative incident response efforts and enhance overall cybersecurity resilience.

• Incident Response Testing (IR.L2-3.6.3)

  The Incident Response Testing subcontrol IR.L2-3.6.3 within the Incident Response control of CMMC focuses on regularly testing and evaluating incident response capabilities to ensure the effectiveness of the organization's response procedures. This subcontrol emphasizes the importance of conducting simulated incident response exercises to identify areas for improvement, enhance preparedness, and strengthen the overall response posture.

• Incident Response Testing (IR.L2-3.6.3[a])

  Incident Response Testing subcontrol IR.L2-3.6.3[a] within the Incident Response control of CMMC emphasizes the need for organizations to conduct tabletop exercises as part of their incident response testing strategy. These exercises involve simulation and discussion of hypothetical cyber incidents, allowing key personnel to evaluate and enhance their understanding of the incident response plan and procedures.

The Identification and Authentication (IA) control within the CMMCv2 framework is designed to establish processes and mechanisms for verifying the identity of individuals or entities attempting to access information systems. This control ensures that only authorized users gain access to sensitive information, reducing the risk of unauthorized access and protecting the confidentiality, integrity, and availability of data.

• Identification (IA.L1-3.5.1)

  Identification subcontrol IA.L1-3.5.1 within the Identification and Authentication control of CMMC focuses on the establishment and maintenance of user identities to ensure the accountability of individuals accessing organizational systems. This subcontrol emphasizes the need for unique identifiers for users and the management of associated authentication credentials.

• Identification (IA.L1-3.5.1[a])

  Identification subcontrol IA.L1-3.5.1[a] within the Identification and Authentication control of CMMC focuses on the establishment and maintenance of unique user identifiers to ensure the accountability of individuals accessing organizational systems. This specific aspect highlights the need for distinct identifiers for non-human entities, such as devices, services, or system processes.

• Identification (IA.L1-3.5.1[b])

  Identification subcontrol IA.L1-3.5.1[b] within the Identification and Authentication control of CMMC focuses on the establishment and management of unique user identifiers for individuals accessing organizational systems. This specific aspect emphasizes the importance of identifiers for privileged users and administrators who have elevated access privileges within the organization.

• Identification (IA.L1-3.5.1[c])

  Identification subcontrol IA.L1-3.5.1[c] within the Identification and Authentication control of CMMC focuses on the establishment and maintenance of unique user identifiers specifically for external users accessing organizational systems. This aspect highlights the importance of precise identification for individuals who are not internal employees but require access to organizational resources.

• Authentication (IA.L1-3.5.2)

  Authentication subcontrol IA.L1-3.5.2 within the Identification and Authentication control of CMMC focuses on ensuring the secure and reliable verification of the identities of users accessing organizational systems. This subcontrol emphasizes the implementation of robust authentication mechanisms to protect against unauthorized access and ensure the integrity of user identities.

• Authentication (IA.L1-3.5.2[a])

  Authentication subcontrol IA.L1-3.5.2[a] within the Identification and Authentication control of CMMC focuses on the implementation of Multi-Factor Authentication (MFA) for privileged users. This subcontrol specifically emphasizes the need to enhance the security of authentication processes for individuals with elevated access privileges, such as administrators and other privileged users.

• Authentication (IA.L1-3.5.2[b])

  Authentication subcontrol IA.L1-3.5.2[b] within the Identification and Authentication control of CMMC focuses on the secure and effective management of user authentication credentials. This subcontrol emphasizes the importance of enforcing strong password policies and ensuring that users create and maintain robust passwords to enhance the overall security of organizational systems.

• Authentication (IA.L1-3.5.2[c])

  Authentication subcontrol IA.L1-3.5.2[c] within the Identification and Authentication control of CMMC focuses on the secure implementation of biometric authentication methods. This subcontrol emphasizes the use of biometrics, such as fingerprint or facial recognition, as a means to enhance the reliability and strength of user authentication.

• Multifactor Authentication (IA.L2-3.5.3)

  Multifactor Authentication (MFA) subcontrol IA.L2-3.5.3 within the Identification and Authentication control of CMMC emphasizes the implementation of robust and multifaceted authentication measures. This subcontrol requires the use of at least two different authentication factors to verify the identity of users accessing organizational systems, adding an extra layer of security beyond traditional password-based methods.

• Least Privilege (AC.L2-3.1.5[a]),Multifactor Authentication (IA.L2-3.5.3[a])

  The Least Privilege subcontrol AC.L2-3.1.5[a] within the Identification and Authentication control of CMMC emphasizes the principle of providing users with the minimum level of access required to perform their job functions. This subcontrol ensures that users only have access to the resources and data necessary for their specific roles, reducing the risk of unauthorized access or misuse of sensitive information.
  The Multifactor Authentication (MFA) subcontrol IA.L2-3.5.3[a] within the Identification and Authentication control of CMMC emphasizes the implementation of robust authentication mechanisms that involve the use of at least two distinct factors. This subcontrol enhances the security of user authentication by requiring the presentation of multiple forms of identification, reducing the risk of unauthorized access.

• Multifactor Authentication (IA.L2-3.5.3[b])

  The Multifactor Authentication (MFA) subcontrol IA.L2-3.5.3[b] within the Identification and Authentication control of CMMC accentuates the importance of robust authentication practices. It mandates the utilization of at least two independent authentication factors during the user authentication process, significantly enhancing the security posture of organizational systems.

• Multifactor Authentication (IA.L2-3.5.3[c])

  The Multifactor Authentication (MFA) subcontrol IA.L2-3.5.3[c] within the Identification and Authentication control of CMMC reinforces the necessity of robust authentication measures. It mandates the implementation of at least two distinct and independent authentication factors during user authentication processes, adding a critical layer of security to protect against unauthorized access.

• Multifactor Authentication (IA.L2-3.5.3[d])

  The Multifactor Authentication (MFA) subcontrol IA.L2-3.5.3[d] within the Identification and Authentication control of CMMC emphasizes the importance of bolstering authentication practices. It mandates the implementation of at least two independent authentication factors during user authentication processes, adding an essential layer of security to protect against unauthorized access.

• Replay-Resistant Authentication (IA.L2-3.5.4)

  The Replay-Resistant Authentication (IA.L2-3.5.4) subcontrol within the Identification and Authentication control of CMMC focuses on mitigating the risks associated with replay attacks during the authentication process. It mandates the implementation of measures that prevent the unauthorized reuse of authentication data, reinforcing the overall security of user access.

• Replay-Resistant Authentication (IA.L2-3.5.4[a])

  The Replay-Resistant Authentication (IA.L2-3.5.4[a]) subcontrol within the Identification and Authentication control of CMMC addresses the specific need to safeguard against replay attacks during the authentication process. It mandates the implementation of measures that resist unauthorized reuse of authentication data, adding a layer of security to protect against potential threats.

• Identifier Reuse (IA.L2-3.5.5)

  The Identifier Reuse (IA.L2-3.5.5) subcontrol within the Identification and Authentication control of CMMC addresses the potential risks associated with the reuse of identifiers during the authentication process. It mandates measures to prevent the recycling of identifiers, such as usernames or account names, to enhance the overall security of user access.

• Identifier Reuse (IA.L2-3.5.5[a])

  The Identifier Reuse (IA.L2-3.5.5[a]) subcontrol within the Identification and Authentication control of CMMC specifically addresses the prevention of identifier reuse, focusing on the secure management of identifiers to enhance overall authentication security. It ensures that once an identifier (e.g., username, account name) is used, it is not recycled or reassigned to other users.

• Identifier Reuse (IA.L2-3.5.5[b])

  The Identifier Reuse (IA.L2-3.5.5[b]) subcontrol within the Identification and Authentication control of CMMC focuses on preventing the unintentional or unauthorized reuse of identifiers. It establishes measures to ensure that identifiers, such as usernames or account names, are not reintroduced for new users without adequate consideration for security implications.

• Identifier Handling (IA.L2-3.5.6)

  The Identifier Handling (IA.L2-3.5.6) subcontrol within the Identification and Authentication control of CMMC focuses on establishing secure practices for the creation, transmission, and storage of identifiers (e.g., usernames, account names). It aims to prevent unauthorized access, disclosure, or compromise of identifiers through robust handling procedures.

• Identifier Handling (IA.L2-3.5.6[a])

  The Identifier Handling (IA.L2-3.5.6[a]) subcontrol within the Identification and Authentication control of CMMC specifically addresses the secure creation of identifiers. It focuses on establishing guidelines and practices to ensure that identifiers, such as usernames and account names, are generated in a manner that enhances resistance to unauthorized access and exploitation.

• Identifier Handling (IA.L2-3.5.6[b])

  The Identifier Handling (IA.L2-3.5.6[b]) subcontrol within the Identification and Authentication control of CMMC addresses the secure transmission of identifiers. It focuses on establishing guidelines and practices to ensure that identifiers, such as usernames and account names, are transmitted securely to prevent unauthorized interception and access.

• Password Complexity (IA.L2-3.5.7)

  The Password Complexity (IA.L2-3.5.7) subcontrol within the Identification and Authentication control of CMMC focuses on establishing and enforcing secure password complexity requirements. It aims to enhance the strength of passwords used for authentication, reducing the risk of unauthorized access through the use of weak or easily guessable passwords.

• Password Complexity (IA.L2-3.5.7[a])

  Password Complexity (IA.L2-3.5.7[a]) is a specific aspect of the Identification and Authentication control within CMMC that focuses on enhancing the security of passwords used for authentication. This subcontrol emphasizes the establishment and enforcement of specific password complexity requirements to mitigate the risk of unauthorized access through the use of weak or easily guessable passwords.

• Password Complexity (IA.L2-3.5.7[b])

  Password Complexity (IA.L2-3.5.7[b]) is a subcontrol within the Identification and Authentication (IA) control of CMMC that specifically addresses the establishment and enforcement of password complexity requirements. This subcontrol aims to enhance the security of authentication by mitigating the risk of unauthorized access through the use of weak or easily guessable passwords.

• Password Complexity (IA.L2-3.5.7[c])

  Password Complexity (IA.L2-3.5.7[c]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, focusing on the establishment and enforcement of password complexity requirements. This subcontrol aims to enhance the security of authentication by reducing the risk of unauthorized access through the use of weak or easily guessable passwords.

• Password Complexity (IA.L2-3.5.7[d])

  Password Complexity (IA.L2-3.5.7[d]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, addressing the establishment and enforcement of password complexity requirements. This subcontrol focuses on enhancing authentication security by reducing the risk of unauthorized access through the implementation of stringent password complexity standards.

• Password Reuse (IA.L2-3.5.8)

  Password Reuse (IA.L2-3.5.8) is a subcontrol within the Identification and Authentication (IA) control of CMMC, focusing on mitigating the risk of unauthorized access through the prevention of password reuse. This subcontrol emphasizes the importance of unique passwords for different accounts or systems to enhance overall security.

• Password Reuse (IA.L2-3.5.8[a])

  Password Reuse (IA.L2-3.5.8[a]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, focusing on mitigating the risk of unauthorized access through the prevention of password reuse. This subcontrol emphasizes the need for organizations to establish clear policies and technical controls that discourage or prohibit users from reusing passwords across different accounts or systems.

• Password Reuse (IA.L2-3.5.8[b])

  Password Reuse (IA.L2-3.5.8[b]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, emphasizing the need for organizations to implement technical controls that discourage or prevent users from reusing passwords across different accounts or systems. This subcontrol specifically focuses on the technical aspects of preventing password reuse.

• Temporary Passwords (IA.L2-3.5.9)

  Temporary Passwords (IA.L2-3.5.9) is a subcontrol within the Identification and Authentication (IA) control of CMMC, focusing on the secure management and usage of temporary passwords. This subcontrol is designed to ensure that temporary passwords are implemented securely to prevent unauthorized access and enhance overall authentication security.

• Temporary Passwords (IA.L2-3.5.9[a])

  Temporary Passwords (IA.L2-3.5.9[a]) is a subcontrol within the Identification and Authentication (IA) control of CMMC, specifically addressing the secure generation and distribution of temporary passwords. This subcontrol focuses on ensuring that temporary passwords are created and delivered in a secure manner to prevent unauthorized access.

• Cryptographically-Protected Passwords (IA.L2-3.5.10)

  Cryptographically-Protected Passwords (IA.L2-3.5.10) is a subcontrol within the Identification and Authentication (IA) control of CMMC, emphasizing the use of strong cryptographic protection for stored passwords. This subcontrol aims to enhance the security of password storage and retrieval mechanisms, safeguarding sensitive credentials from unauthorized access.

• Cryptographically-Protected Passwords (IA.L2-3.5.10[a])

  Cryptographically-Protected Passwords (IA.L2-3.5.10[a]) is a refinement of the Cryptographically-Protected Passwords subcontrol within the Identification and Authentication (IA) control of CMMC. This subcontrol focuses on enhancing the protection of stored passwords through the use of industry-standard cryptographic measures.

• Cryptographically-Protected Passwords (IA.L2-3.5.10[b])

  Cryptographically-Protected Passwords (IA.L2-3.5.10[b]) is a refinement of the Cryptographically-Protected Passwords subcontrol within the Identification and Authentication (IA) control of CMMC. This subcontrol specifically emphasizes the importance of securely managing cryptographic keys used in password protection.

• Obscure Feedback (IA.L2-3.5.11)

  The Obscure Feedback control within Identification and Authentication (IA) in CMMCv2 aims to enhance security by obscuring or encrypting feedback provided to users during the authentication process. This helps prevent potential attackers from gathering information that could be used to compromise user accounts.

• Obscure Feedback (IA.L2-3.5.11[a])

  The Obscure Feedback (Enhanced) subcontrol within Identification and Authentication (IA) in CMMCv2 aims to build upon the basic Obscure Feedback control by providing additional layers of security in obscuring feedback during the authentication process. This enhances the resilience against potential attacks attempting to glean sensitive information from the authentication feedback.

The Configuration Management (CM) control within the CMMCv2 framework is designed to establish and maintain an organized and secure baseline for information systems. This control ensures that configurations are well-documented, controlled, and consistent, minimizing vulnerabilities and enhancing the overall security posture of the organization.

• System Baselining (CM.L2-3.4.1)

  The System Baselining subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing and maintaining a baseline configuration for information systems. This involves documenting and controlling changes to the system's configuration to ensure a secure and reliable operational environment.

• System Baselining (CM.L2-3.4.1[a])

  The System Baselining (Enhanced) subcontrol within Configuration Management (CM) in CMMCv2 builds upon the foundational principles of CM.L2-3.4.1, aiming to enhance the security and adaptability of the baseline configuration for information systems. This involves incorporating advanced measures to respond to evolving threats and requirements.

• System Baselining (CM.L2-3.4.1[b])

  The System Baselining (Continuous Monitoring) subcontrol within Configuration Management (CM) in CMMCv2 enhances the traditional baseline approach by incorporating continuous monitoring practices. This ensures real-time visibility into system configurations, facilitating immediate detection and response to unauthorized changes.

• System Baselining (CM.L2-3.4.1[c])

  The System Baselining (Documentation and Review) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the importance of maintaining comprehensive documentation and conducting regular reviews of the baseline configuration. This ensures that the baseline accurately reflects the current state of the information system and supports effective decision-making.

• System Baselining (CM.L2-3.4.1[d])

  The System Baselining (Incident Response Integration) subcontrol within Configuration Management (CM) in CMMCv2 focuses on integrating baseline configuration information into incident response processes. This ensures that deviations from the baseline are promptly identified, investigated, and responded to, minimizing the impact of security incidents.

• System Baselining (CM.L2-3.4.1[e])

  The System Baselining (Continuous Improvement) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing a process for continuous improvement of baseline configurations. This involves regular assessments, feedback loops, and adjustments to enhance the overall effectiveness of the baseline in response to evolving threats and organizational requirements.

• System Baselining (CM.L2-3.4.1[f])

  The System Baselining (Configuration Versioning) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing versioning practices for baseline configurations. This involves maintaining a historical record of configuration changes, enabling organizations to track modifications, assess their impact, and revert to previous states if necessary.

• Security Configuration Enforcement (CM.L2-3.4.2)

  The Security Configuration Enforcement subcontrol within Configuration Management (CM) in CMMCv2 focuses on the systematic enforcement of security configurations for information systems. This involves implementing measures to ensure that systems operate in accordance with approved security configurations, minimizing vulnerabilities and reducing the attack surface.

• Security Configuration Enforcement (CM.L2-3.4.2[a])

  The Security Configuration Enforcement (Enhanced) subcontrol within Configuration Management (CM) in CMMCv2 extends the basic principles of security configuration enforcement by incorporating advanced measures and technologies. This includes enhanced automation, continuous monitoring, and adaptive security configurations to address evolving threats.

• Security Configuration Enforcement (CM.L2-3.4.2[b])

  The Security Configuration Enforcement (Advanced Auditing) subcontrol within Configuration Management (CM) in CMMCv2 enhances security configuration enforcement by focusing on advanced auditing practices. This involves implementing robust auditing mechanisms to track and analyze changes to security configurations, aiding in incident response and accountability.

• System Change Management (CM.L2-3.4.3)

  The System Change Management subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing a structured process for managing changes to information systems. This includes documenting, reviewing, approving, and implementing changes in a controlled manner to ensure the security and integrity of the systems.

• System Change Management (CM.L2-3.4.3[a])

  The System Change Management (Enhanced Documentation) subcontrol within Configuration Management (CM) in CMMCv2 enhances the basic principles of change management by emphasizing the importance of comprehensive documentation throughout the change management process. This includes detailed records of change requests, assessments, approvals, testing, and implementation.

• System Change Management (CM.L2-3.4.3[b])

  The System Change Management (Automated Change Approval) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the use of automated processes for change approval. This involves implementing technologies and workflows to streamline and accelerate the approval process for changes, ensuring efficiency while maintaining security and compliance.

• System Change Management (CM.L2-3.4.3[c])

  The System Change Management (Continuous Monitoring) subcontrol within Configuration Management (CM) in CMMCv2 focuses on integrating continuous monitoring practices into the change management process. This involves real-time tracking of changes, assessing their impact, and ensuring ongoing compliance with security policies.

• System Change Management (CM.L2-3.4.3[d])

  The System Change Management (Incident Response Integration) subcontrol within Configuration Management (CM) in CMMCv2 enhances the change management process by integrating it with incident response procedures. This involves aligning change management practices with incident response efforts to effectively address and recover from unexpected issues or security incidents resulting from changes.

• Security Impact Analysis (CM.L2-3.4.4)

  The Security Impact Analysis subcontrol within Configuration Management (CM) in CMMCv2 focuses on conducting thorough analyses to assess the security impacts of proposed changes to information systems. This involves evaluating how changes may affect the confidentiality, integrity, and availability of sensitive information and system resources.

• Security Impact Analysis (CM.L2-3.4.4[a])

  The Security Impact Analysis (Enhanced Assessment) subcontrol within Configuration Management (CM) in CMMCv2 extends the basic principles of security impact analysis by incorporating advanced assessment techniques. This involves employing enhanced methodologies and tools to conduct thorough analyses of proposed changes and their potential impacts on information systems.

• Access Restrictions for Change (CM.L2-3.4.5)

  The Access Restrictions for Change subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing controls to restrict access to systems undergoing changes. This involves enforcing measures to ensure that only authorized personnel have access to the configuration items during the change process, preventing unauthorized modifications or disruptions.

• Access Restrictions for Change (CM.L2-3.4.5[a])

  The Access Restrictions for Change (Enhanced Authentication) subcontrol within Configuration Management (CM) in CMMCv2 builds upon the basic principles of access restrictions during the change process. This subcontrol specifically focuses on strengthening authentication measures to further enhance the security of configuration items during changes. By implementing enhanced authentication mechanisms, organizations aim to ensure that only authorized individuals with the appropriate credentials can access and modify configuration items.

• Access Restrictions for Change (CM.L2-3.4.5[b])

  The Access Restrictions for Change (Role-Based Access Control) subcontrol within Configuration Management (CM) in CMMCv2 focuses on refining access restrictions during the change process through the implementation of role-based access control (RBAC). This control ensures that individuals have access rights based on their specific roles or responsibilities within the change management workflow, reducing the risk of unauthorized modifications.

• Access Restrictions for Change (CM.L2-3.4.5[c])

  The Access Restrictions for Change (Temporal Access Controls) subcontrol within Configuration Management (CM) in CMMCv2 extends access restrictions during the change process by implementing temporal access controls. This ensures that access to configuration items is granted only for a specific duration, reducing the risk of prolonged or unauthorized access.

• Access Restrictions for Change (CM.L2-3.4.5[d])

  The Access Restrictions for Change (Privileged Access Management) subcontrol within Configuration Management (CM) in CMMCv2 aims to enhance access restrictions during the change process by implementing privileged access management. This involves controlling and monitoring access to configuration items, particularly for individuals with elevated privileges, ensuring that such access is carefully managed to prevent unauthorized or inappropriate changes.

• Access Restrictions for Change (CM.L2-3.4.5[e])

  The Access Restrictions for Change (Encryption of Configuration Data) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the importance of protecting configuration data during the change process by implementing encryption measures. This ensures that unauthorized access to configuration items is further restricted, and the confidentiality and integrity of sensitive information are maintained.

• Access Restrictions for Change (CM.L2-3.4.5[f])

  The Access Restrictions for Change (Logging and Monitoring) subcontrol within Configuration Management (CM) in CMMCv2 focuses on enhancing access restrictions during the change process by implementing robust logging and monitoring mechanisms. This ensures that all access to configuration items is logged, monitored, and analyzed for any suspicious or unauthorized activities.

• Access Restrictions for Change (CM.L2-3.4.5[g])

  The Access Restrictions for Change (Geo-fencing) subcontrol within Configuration Management (CM) in CMMCv2 introduces geographically-based access restrictions during the change process. This involves defining geographical boundaries within which authorized individuals are allowed access to configuration items, limiting access from unauthorized locations.

• Access Restrictions for Change (CM.L2-3.4.5[h])

  The Access Restrictions for Change (User Behavior Analytics) subcontrol within Configuration Management (CM) in CMMCv2 focuses on leveraging user behavior analytics to enhance access restrictions during the change process. By analyzing patterns of user behavior, organizations can detect anomalies, unusual activities, and potential unauthorized changes to configuration items.

• Least Functionality (CM.L2-3.4.6)

  The Least Functionality subcontrol within Configuration Management (CM) in CMMCv2 focuses on restricting the functionality of information systems to the minimum necessary for organizational operations. This control aims to reduce the attack surface, potential vulnerabilities, and the risk of unauthorized access or changes to configuration items by eliminating unnecessary functionalities.

• Least Functionality (CM.L2-3.4.6[a])

  The Least Functionality (Privileged Functions) subcontrol within Configuration Management (CM) in CMMCv2 extends the principle of least functionality to privileged functions within information systems. This control ensures that only authorized personnel with specific roles and responsibilities have access to privileged functionalities related to configuration management, reducing the risk of misuse or unauthorized changes.

• Least Functionality (CM.L2-3.4.6[b])

  The Least Functionality (Non-essential Functions) subcontrol within Configuration Management (CM) in CMMCv2 focuses on limiting access to non-essential functions and features within information systems. By identifying and restricting unnecessary capabilities, organizations can reduce the attack surface, minimize potential vulnerabilities, and enhance the overall security of configuration items during the change process.

• Nonessential Functionality (CM.L2-3.4.7)

  The Nonessential Functionality subcontrol within Configuration Management (CM) in CMMCv2 addresses the need to identify and manage nonessential functionality within information systems. This control aims to reduce the attack surface, minimize potential vulnerabilities, and enhance the overall security of configuration items during the change process by limiting access to unnecessary capabilities.

• Nonessential Functionality (CM.L2-3.4.7[a])

  The Nonessential Functionality (Access Controls for Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the need to implement access controls specifically for nonessential functionalities within information systems. This control ensures that only authorized personnel have access to nonessential functions during the configuration management process, reducing the risk of security incidents.

• Nonessential Functionality (CM.L2-3.4.7[b])

  The Nonessential Functionality (Monitoring of Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing monitoring mechanisms for nonessential functionalities within information systems. This control ensures that organizations can detect and respond to any unauthorized or unusual activities related to nonessential functions during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[c])

  The Nonessential Functionality (Risk Assessment of Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the need for conducting risk assessments specifically for nonessential functionalities within information systems. This control ensures that organizations systematically evaluate and manage the risks associated with these functions during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[d])

  The Nonessential Functionality (Documentation of Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the importance of documenting nonessential functionalities within information systems. This control ensures that organizations maintain comprehensive records of these functions to support risk assessments, monitoring, and decision-making during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[e])

  The Nonessential Functionality (Periodic Review of Nonessential Functions) subcontrol within Configuration Management (CM) in CMMCv2 emphasizes the need for organizations to conduct regular reviews of nonessential functionalities within information systems. This control ensures that these functions are periodically reassessed to account for changes in organizational requirements, system configurations, and potential risks during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[f])

  The Nonessential Functionality (Disposal of Unnecessary Functions) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing processes to identify, evaluate, and dispose of unnecessary functions within information systems. This control ensures that nonessential functions are removed securely and efficiently, reducing the potential attack surface during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[g])

  The Nonessential Functionality (Verification of Disposal for Unnecessary Functions) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing verification processes to ensure the secure disposal of unnecessary functions. This control ensures that organizations can confirm the effective removal of nonessential functions, reducing the potential for security vulnerabilities during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[h])

  The Nonessential Functionality (Continuous Monitoring of Disposal Status) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing continuous monitoring processes to track the disposal status of unnecessary functions. This control ensures that organizations maintain ongoing awareness of the success and effectiveness of the disposal process, minimizing the risk of residual vulnerabilities during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[i])

  The Nonessential Functionality (Incident Reporting for Disposal Anomalies) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing processes for incident reporting specifically related to anomalies in the disposal of unnecessary functions. This control ensures that organizations promptly identify and respond to any irregularities during the disposal process, minimizing the risk of security incidents and vulnerabilities in the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[j])

  The Nonessential Functionality (Audit Trail for Disposal Activities) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing audit trail mechanisms for disposal activities related to nonessential functions. This control ensures that organizations maintain detailed records of disposal actions, facilitating accountability, and enabling forensic analysis in case of security incidents during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[k])

  The Nonessential Functionality (Training on Disposal Procedures) subcontrol within Configuration Management (CM) in CMMCv2 focuses on providing training to personnel involved in the disposal of nonessential functions. This control ensures that individuals responsible for disposal activities are adequately trained on procedures, security measures, and compliance requirements, reducing the risk of errors and security incidents during the configuration management process.

• Nonessential Functionality (CM.L2-3.4.7[l])

  The Nonessential Functionality (Periodic Review of Training Effectiveness) subcontrol within Configuration Management (CM) in CMMCv2 focuses on conducting periodic assessments to evaluate the effectiveness of the training program for personnel involved in the disposal of nonessential functions. This control ensures that training remains current, relevant, and responsive to emerging threats and changes in organizational requirements.

• Nonessential Functionality (CM.L2-3.4.7[m])

  The Nonessential Functionality (Documentation of Training Records) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing and maintaining comprehensive documentation of training records for personnel involved in the disposal of nonessential functions. This control ensures that organizations have a clear record of training activities, supporting compliance, accountability, and continuous improvement.

• Nonessential Functionality (CM.L2-3.4.7[n])

  The Nonessential Functionality (Periodic Training Program Review) subcontrol within Configuration Management (CM) in CMMCv2 focuses on conducting periodic reviews of the overall training program for personnel involved in the disposal of nonessential functions. This control ensures that the training program remains effective, relevant, and aligned with organizational objectives over time.

• Nonessential Functionality (CM.L2-3.4.7[o])

  The Nonessential Functionality (Incident Response for Training Program Anomalies) subcontrol within Configuration Management (CM) in CMMCv2 focuses on establishing an incident response plan specifically for addressing anomalies or issues identified during the periodic review of the training program. This control ensures that organizations can promptly respond to training program deficiencies, update materials, and improve the overall effectiveness of training for personnel involved in the disposal of nonessential functions.

• Application Execution Policy (CM.L2-3.4.8)

  The Application Execution Policy subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing policies and procedures to control and manage the execution of applications within an organization's information systems. This control is designed to reduce the risk associated with unauthorized or malicious applications running on system components, ensuring a secure configuration environment.

• Application Execution Policy (CM.L2-3.4.8[a])

  The Application Execution Policy (Whitelisting) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing a whitelisting approach to control the execution of applications on organizational information systems. This control ensures that only approved and authorized applications are allowed to run, reducing the risk of unauthorized or malicious software.

• Application Execution Policy (CM.L2-3.4.8[b])

  The Application Execution Policy (Blacklisting) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing a blacklisting approach to control the execution of applications on organizational information systems. This control ensures that known unauthorized or malicious applications are explicitly prohibited from running, reducing the risk of security incidents.

• Application Execution Policy (CM.L2-3.4.8[c])

  The Application Execution Policy (Greylisting) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing a greylisting approach to control the execution of applications on organizational information systems. This control allows organizations to temporarily delay or scrutinize the execution of applications not included in either the whitelist or blacklist, providing additional scrutiny for unknown or unverified software.

• User-Installed Software (CM.L2-3.4.9)

  The User-Installed Software subcontrol within Configuration Management (CM) in CMMCv2 focuses on managing and controlling the installation of software by end-users on organizational information systems. This control is designed to reduce the risk of unauthorized or insecure software being introduced, ensuring that user-installed software aligns with security policies and requirements.

• User-Installed Software (CM.L2-3.4.9[a])

  The User-Installed Software (Approval Process) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing a formalized approval process for user-installed software on organizational information systems. This control ensures that the introduction of new software aligns with security policies, undergoes proper vetting, and minimizes the risk of security incidents.

• User-Installed Software (CM.L2-3.4.9[b])

  The User-Installed Software (Monitoring and Enforcement) subcontrol within Configuration Management (CM) in CMMCv2 focuses on implementing monitoring and enforcement mechanisms for user-installed software on organizational information systems. This control aims to actively monitor software installations by end-users and enforce policies to ensure compliance with security requirements.

• User-Installed Software (CM.L2-3.4.9[c])

  The User-Installed Software (Risk Assessment) subcontrol within Configuration Management (CM) in CMMCv2 focuses on conducting risk assessments for user-installed software on organizational information systems. This control aims to systematically evaluate the security risks associated with user-installed applications and take appropriate measures to mitigate identified risks.

The Awareness and Training (AT) control within the CMMCv2 framework focuses on establishing a comprehensive program to educate and train personnel on cybersecurity risks, policies, and best practices. This control recognizes the critical role of personnel awareness and knowledge in mitigating cyber threats and ensuring the secure handling of sensitive information.

• Role-Based Risk Awareness (AT.L2-3.2.1)

  The Role-Based Risk Awareness subcontrol within Awareness and Training (AT) in CMMCv2 focuses on providing targeted risk awareness training to individuals based on their roles within the organization. This control is designed to ensure that personnel are equipped with role-specific knowledge to identify and mitigate risks effectively.

• Role-Based Risk Awareness (AT.L2-3.2.1[a])

  The Role-Based Risk Awareness (Customized Training) subcontrol within Awareness and Training (AT) in CMMCv2 emphasizes the need for organizations to tailor their risk awareness training programs to address specific roles within the organization. This control ensures that training content is customized to the unique responsibilities and risks associated with each role.

• Role-Based Risk Awareness (AT.L2-3.2.1[b])

  The Role-Based Risk Awareness (Assessment and Feedback) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on establishing mechanisms for assessing the effectiveness of role-based risk awareness training and providing feedback to individuals in various roles. This control ensures continuous improvement by evaluating the impact of training on personnel's ability to understand and address role-specific risks.

• Role-Based Risk Awareness (AT.L2-3.2.1[c])

  The Role-Based Risk Awareness (Reinforcement and Integration) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on reinforcing role-based risk awareness through ongoing education and integrating risk considerations into day-to-day operations. This control ensures that personnel maintain a heightened awareness of risks associated with their roles and consistently apply best practices in their activities.

• Role-Based Risk Awareness (AT.L2-3.2.1[d])

  The Role-Based Risk Awareness (Measurement and Evaluation) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on implementing measurement and evaluation mechanisms to assess the effectiveness of role-based risk awareness training. This control ensures that organizations have quantifiable metrics to gauge the impact of training on individuals in various roles and make data-driven improvements.

• Role-Based Training (AT.L2-3.2.2)

  The Role-Based Training subcontrol within Awareness and Training (AT) in CMMCv2 emphasizes the need for organizations to provide tailored training programs based on the specific roles and responsibilities of individuals. This control ensures that training content is customized to address the unique knowledge and skills required for various job functions.

• Role-Based Training (AT.L2-3.2.2[a])

  The Role-Based Training (Content Customization) subcontrol within Awareness and Training (AT) in CMMCv2 emphasizes the need for organizations to customize training content to address the unique knowledge and skills required for various roles. This control ensures that training materials are tailored to the specific responsibilities of individuals, making the learning experience more relevant and effective.

• Role-Based Training (AT.L2-3.2.2[b])

  The Role-Based Training (Delivery Methods) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on selecting and implementing appropriate delivery methods for role-based cybersecurity training. This control ensures that training is delivered in a manner that is effective and engaging, considering the unique characteristics and preferences of individuals in different roles.

• Role-Based Training (AT.L2-3.2.2[c])

  The Role-Based Training (Evaluation and Feedback) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on assessing the effectiveness of role-based cybersecurity training and obtaining feedback from individuals in various roles. This control ensures a continuous improvement loop by evaluating the impact of training and incorporating feedback to enhance future training programs.

• Insider Threat Awareness (AT.L2-3.2.3)

  The Insider Threat Awareness subcontrol within Awareness and Training (AT) in CMMCv2 focuses on raising awareness among personnel about the potential risks associated with insider threats. This control ensures that employees are informed about the indicators of insider threats, the impact on organizational security, and their role in mitigating such risks.

• Insider Threat Awareness (AT.L2-3.2.3[a])

  The Insider Threat Awareness (Tailored Training for Roles) subcontrol within Awareness and Training (AT) in CMMCv2 emphasizes the need for tailored training programs addressing insider threat awareness based on specific roles within an organization. This control ensures that personnel understand the unique insider threat risks associated with their job functions and are equipped to recognize and report potential threats.

• Insider Threat Awareness (AT.L2-3.2.3[b])

  The Insider Threat Awareness (Reporting Mechanisms) subcontrol within Awareness and Training (AT) in CMMCv2 focuses on establishing and promoting effective reporting mechanisms for personnel to report potential insider threat activities. This control ensures that individuals are aware of the proper channels for reporting suspicions, thereby facilitating prompt response and mitigation.

The Audit and Accountability (AU) control within the CMMCv2 framework focuses on establishing processes and mechanisms for tracking and monitoring system activities to support incident detection, investigation, and compliance. This control emphasizes the importance of maintaining an audit trail that captures relevant information to enable the reconstruction of events and actions related to security incidents.

• System Auditing (AU.L2-3.3.1)

  The System Auditing subcontrol within Audit and Accountability (AU) in CMMCv2 focuses on establishing and maintaining effective auditing processes for information systems. This control ensures that organizations can track and review system activities, detect anomalies, and generate audit logs to support incident response, investigations, and compliance monitoring.

• System Auditing (AU.L2-3.3.1[a])

  The System Auditing (Automated Tools) subcontrol within the Audit and Accountability (AU) domain of CMMCv2 emphasizes the use of automated tools to enhance the efficiency and effectiveness of system auditing processes. This control ensures that organizations employ technology to systematically collect, analyze, and manage audit logs, improving their ability to identify and respond to security events.

• System Auditing (AU.L2-3.3.1[b])

  The System Auditing (Manual Analysis) subcontrol within the Audit and Accountability (AU) domain of CMMCv2 emphasizes the importance of manual analysis in the auditing process. This control ensures that organizations supplement automated tools with human expertise to thoroughly review and interpret audit logs for a deeper understanding of system activities.

• System Auditing (AU.L2-3.3.1[c])

  The System Auditing (Continuous Improvement) subcontrol within the Audit and Accountability (AU) domain of CMMCv2 emphasizes the need for organizations to continually enhance their system auditing processes. This control ensures that organizations establish mechanisms for ongoing improvement, staying adaptive to evolving threats and changes in their information systems.

• System Auditing (AU.L2-3.3.1[d]),User Accountability (AU.L2-3.3.2[b])

  System Auditing involves the continuous monitoring and analysis of audit logs to detect security incidents, anomalies, and potential threats within an organization's information systems. This subcontrol emphasizes the need to maintain effective auditing mechanisms and practices to ensure the integrity, confidentiality, and availability of system logs.
  User Accountability involves establishing mechanisms to track and attribute system activities to specific users within an organization. This subcontrol aims to ensure that users are uniquely identifiable and accountable for their actions on information systems.

• System Auditing (AU.L2-3.3.1[e])

  System Auditing (Audit Log Protection) focuses on safeguarding audit logs generated by information systems. It involves measures to ensure the confidentiality, integrity, and availability of audit logs to prevent unauthorized access, tampering, or deletion.

• System Auditing (AU.L2-3.3.1[f])

  System Auditing (AU.L2-3.3.1[f]) is a subcontrol within the Audit and Accountability domain of the CMMCv2 framework. This subcontrol focuses on the implementation of auditing mechanisms for information systems. It requires organizations to conduct systematic reviews and analysis of audit logs generated by various system components to detect and respond to security events, unauthorized activities, and potential vulnerabilities.

• User Accountability (AU.L2-3.3.2)

  User Accountability focuses on establishing mechanisms to track and attribute system activities to specific users within an organization. This control ensures that users are uniquely identifiable and accountable for their actions on information systems.

• User Accountability (AU.L2-3.3.2[a])

  User Accountability (AU.L2-3.3.2[a]) is a subcontrol under the Audit and Accountability control in the CMMCv2 framework. This subcontrol focuses on establishing mechanisms to uniquely identify and track the actions of individual users within an information system. The goal is to enhance accountability, traceability, and the ability to attribute actions to specific users, thereby supporting incident investigation and deterrence of unauthorized activities.

• User Accountability (AU.L2-3.3.2[b])

  AU.L2-3.3.2[b] focuses on establishing and maintaining user accountability within an organization's information systems. This subcontrol aims to track and attribute user actions to specific individuals, ensuring transparency, accountability, and the ability to investigate security incidents effectively.

• Event Review (AU.L2-3.3.3)

  Event Review, under the Audit and Accountability domain, focuses on the systematic examination of recorded events and activities within an organization's information systems. This control ensures that organizations regularly analyze audit logs and other relevant records to identify and respond to security incidents promptly.

• Event Review (AU.L2-3.3.3[a])

  The Event Review subcontrol (AU.L2-3.3.3[a]) focuses on the systematic and timely review of audit records to identify and respond to security events. This includes analyzing logs, reports, and alerts generated by audit mechanisms to ensure that anomalies, incidents, and potential indicators of compromise are promptly identified and addressed. The goal is to enhance the organization's ability to detect and mitigate security threats through effective event review practices.

• Event Review (AU.L2-3.3.3[b])

  Event Review, a subset of the Audit and Accountability domain within CMMCv2, focuses on the systematic examination of recorded events and activities within an organization's information systems. This specific subcontrol, AU.L2-3.3.3[b], emphasizes a more targeted aspect of event review, possibly related to specific event types or sources.

• Event Review (AU.L2-3.3.3[c])

  Event Review, a crucial subcontrol within the Audit and Accountability domain of CMMCv2, entails the systematic examination of recorded events and activities within an organization's information systems. AU.L2-3.3.3[c] specifies additional criteria or sources for a more nuanced approach to event analysis.

• Audit Failure Alerting (AU.L2-3.3.4)

  Audit Failure Alerting, a subcontrol within the Audit and Accountability domain of CMMCv2, is designed to enhance an organization's ability to promptly detect and respond to failures in the auditing process. The focus is on setting up mechanisms that trigger alerts when anomalies or failures related to audit activities are identified.

• Audit Failure Alerting (AU.L2-3.3.4[a])

  Automated Audit Failure Alerting, a specific aspect within the broader Audit and Accountability domain of CMMCv2, focuses on establishing automated mechanisms to promptly detect and alert stakeholders about failures in the auditing process. This subcontrol, AU.L2-3.3.4[a], emphasizes the use of automated tools and processes for real-time monitoring.

• Audit Failure Alerting (AU.L2-3.3.4[b])

  Manual Audit Failure Alerting, a specific facet within the Audit and Accountability domain of CMMCv2, emphasizes the establishment of procedures for manual detection and alerting in response to failures in the auditing process. AU.L2-3.3.4[b] highlights scenarios where automated tools may not suffice, requiring human intervention for nuanced analysis.

• Audit Failure Alerting (AU.L2-3.3.4[c])

  Escalation Procedures for Audit Failure Alerts, a specific aspect within the Audit and Accountability domain of CMMCv2, focuses on establishing clear processes for escalating and managing audit failure alerts. AU.L2-3.3.4[c] ensures that organizations have structured procedures in place to address audit failures promptly and effectively.

• Audit Correlation (AU.L2-3.3.5)

  Audit Correlation, a critical subcontrol within the Audit and Accountability domain of CMMCv2, emphasizes the importance of correlating audit records from various sources to create a comprehensive and cohesive view of security events. AU.L2-3.3.5 ensures that organizations have mechanisms in place to analyze and correlate audit data effectively.

• Audit Correlation (AU.L2-3.3.5[a])

  The AU.L2-3.3.5[a] subcontrol within the Audit and Accountability domain of CMMCv2 focuses on enhancing the organization's capability to correlate specific types of audit records. By implementing targeted correlation mechanisms, this subcontrol aims to provide a more detailed and context-rich analysis of selected audit events, contributing to improved threat detection and incident response.

• Audit Correlation (AU.L2-3.3.5[b])

  The AU.L2-3.3.5[b] subcontrol within the Audit and Accountability domain of CMMCv2 focuses on enhancing the organization's ability to correlate specific audit events. By concentrating on identified critical events, this subcontrol aims to provide a targeted and efficient approach to detecting security incidents and improving incident response capabilities.

• Reduction & Reporting (AU.L2-3.3.6)

  The AU.L2-3.3.6 subcontrol within the Audit and Accountability domain of CMMCv2 focuses on efficiently managing and reporting audit log volumes. This subcontrol aims to reduce the volume of audit logs while ensuring that critical events are appropriately captured and reported. By implementing log reduction techniques and establishing reporting mechanisms, organizations can optimize the analysis of audit data.

• Reduction & Reporting (AU.L2-3.3.6[a])

  AU.L2-3.3.6[a] is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on the implementation of automated log reduction mechanisms. This subcontrol aims to streamline the analysis of audit logs by automating the process of reducing unnecessary log volumes while retaining critical information. By leveraging automated mechanisms, organizations can enhance their ability to identify and respond to security incidents efficiently.

• Reduction & Reporting (AU.L2-3.3.6[b])

  AU.L2-3.3.6[b] is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on the reporting aspect of critical audit events. This subcontrol emphasizes the need for organizations to establish clear mechanisms for reporting on identified critical events in the audit logs. By implementing effective reporting procedures, organizations can enhance their situational awareness and improve incident response capabilities.

• Authoritative Time Source (AU.L2-3.3.7)

  AU.L2-3.3.7 is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on the importance of maintaining an authoritative time source for accurate and synchronized timestamping of audit records. This subcontrol ensures that organizations establish and maintain a reliable timekeeping system to enhance the integrity and effectiveness of audit logs.

• Authoritative Time Source (AU.L2-3.3.7[a])

  AU.L2-3.3.7[a] is a subcontrol within the Audit and Accountability domain of CMMCv2, specifically focusing on the secure configuration of the authoritative time source. This subcontrol aims to ensure that the designated authoritative time source is not only accurate but also configured securely to prevent tampering and unauthorized alterations.

• Authoritative Time Source (AU.L2-3.3.7[b])

  AU.L2-3.3.7[b] is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on the establishment of monitoring and alerting capabilities for the authoritative time source. This subcontrol aims to ensure that organizations are proactively aware of any issues or anomalies related to the designated authoritative time source.

• Authoritative Time Source (AU.L2-3.3.7[c])

  AU.L2-3.3.7[c] is a subcontrol within the Audit and Accountability domain of CMMCv2, focusing on incident response and recovery procedures related to the authoritative time source. This subcontrol ensures that organizations are prepared to swiftly respond to incidents affecting the time source and can recover normal operations with minimal disruption.

• Audit Protection (AU.L2-3.3.8)

  AU.L2-3.3.8, within the Audit and Accountability domain of CMMCv2, emphasizes safeguarding audit information against unauthorized access, disclosure, alteration, and destruction. This subcontrol aims to ensure the confidentiality and integrity of audit logs, vital for incident detection, investigation, and response.

• Audit Protection (AU.L2-3.3.8[a])

  This subcontrol focuses on ensuring the protection of audit information and the prevention of unauthorized access to audit logs. Proper protection of audit information is crucial for maintaining the integrity and reliability of the audit trail, which is essential for detecting and responding to security incidents. The subcontrol specifically addresses protections related to audit information stored in remote locations.

• Audit Protection (AU.L2-3.3.8[b])

  The Audit Protection subcontrol (AU.L2-3.3.8[b]) is designed to establish measures that ensure the protection of audit information from unauthorized access, modification, or deletion. By implementing robust safeguards for audit logs and records, organizations enhance the integrity, confidentiality, and availability of crucial information used for monitoring, compliance, and incident response.

• Audit Protection (AU.L2-3.3.8[c])

  The Audit Protection subcontrol (AU.L2-3.3.8[c]) addresses measures for safeguarding audit information to prevent unauthorized access, modification, or deletion. This includes protection mechanisms for audit logs and records to maintain the integrity, confidentiality, and availability of critical information used for monitoring and incident response.

• Audit Protection (AU.L2-3.3.8[d])

  The Audit Protection subcontrol (AU.L2-3.3.8[d]) addresses measures to safeguard audit information against unauthorized access, modification, or deletion. It emphasizes protection mechanisms for audit logs and records to ensure their integrity, confidentiality, and availability. This subcontrol contributes to the overall reliability of audit trails critical for monitoring, compliance, and incident response.

• Audit Protection (AU.L2-3.3.8[e])

  The Audit Protection subcontrol (AU.L2-3.3.8[e]) focuses on implementing measures to secure audit information against unauthorized access, modification, or deletion. It emphasizes protection mechanisms for audit logs and records to ensure their integrity, confidentiality, and availability. This subcontrol plays a crucial role in maintaining the trustworthiness of audit trails, which are essential for monitoring, compliance, and incident response.

• Audit Protection (AU.L2-3.3.8[f])

  The Audit Protection subcontrol (AU.L2-3.3.8[f]) is designed to establish measures that ensure the protection of audit information from unauthorized access, modification, or deletion. By implementing robust safeguards for audit logs and records, organizations enhance the integrity, confidentiality, and availability of crucial information used for monitoring, compliance, and incident response.

• Audit Management (AU.L2-3.3.9)

  The Audit Management subcontrol (AU.L2-3.3.9) focuses on establishing and maintaining a comprehensive audit management program. It involves planning, organizing, directing, and controlling the activities related to auditing information systems. The goal is to ensure the effective and efficient conduct of audits to support organizational goals, compliance requirements, and incident response.

• Audit Management (AU.L2-3.3.9[a])

  The Audit Management subcontrol (AU.L2-3.3.9[a]) is designed to establish and maintain a structured and comprehensive audit management program. This subcontrol emphasizes the importance of systematic planning, organizing, directing, and controlling audit activities to ensure the effectiveness of the audit process. It aims to support organizational goals, compliance requirements, and incident response through well-managed audit practices.

• Audit Management (AU.L2-3.3.9[b])

  The Audit Management subcontrol (AU.L2-3.3.9[b]) focuses on establishing and maintaining a structured and comprehensive audit management program. It emphasizes systematic planning, organizing, directing, and controlling audit activities to ensure the effectiveness of the audit process. This subcontrol aims to support organizational goals, compliance requirements, and incident response through well-managed audit practices.

The Access Control (AC) control within the CMMCv2 framework is designed to manage and restrict access to systems, networks, and data in order to prevent unauthorized disclosure, modification, or destruction of sensitive information. This control establishes policies, procedures, and technical safeguards to ensure that only authorized individuals or entities have access to controlled information, and that access is granted based on the principle of least privilege.

• Authorized Access Control (AC.L1-3.1.1)

  The Authorized Access Control subcontrol (AC.L1-3.1.1) in the CMMCv2 framework focuses on establishing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by implementing effective access controls.

• Authorized Access Control (AC.L1-3.1.1[a])

  The Authorized Access Control subcontrol (AC.L1-3.1.1[a]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.

• Authorized Access Control (AC.L1-3.1.1[b])

  The Authorized Access Control subcontrol (AC.L1-3.1.1[b]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.

• Authorized Access Control (AC.L1-3.1.1[c])

  The Authorized Access Control subcontrol (AC.L1-3.1.1[c]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.

• Authorized Access Control (AC.L1-3.1.1[d])

  The Authorized Access Control subcontrol (AC.L1-3.1.1[d]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.

• Authorized Access Control (AC.L1-3.1.1[e])

  The Authorized Access Control subcontrol (AC.L1-3.1.1[e]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.

• Authorized Access Control (AC.L1-3.1.1[f])

  The Authorized Access Control subcontrol (AC.L1-3.1.1[f]) focuses on implementing and enforcing policies and procedures to ensure that access to information systems and data is limited to authorized individuals and entities. It aims to prevent unauthorized access, disclosure, alteration, and destruction of sensitive information by establishing effective access controls.

• Transaction & Function Control (AC.L1-3.1.2)

  The Transaction & Function Control subcontrol (AC.L1-3.1.2) aims to implement measures that regulate and control specific transactions and functions within an information system. This control focuses on ensuring that users are authorized to perform specific actions, preventing unauthorized or inappropriate activities that could compromise the integrity and confidentiality of data.

• Transaction & Function Control (AC.L1-3.1.2[a])

  The Transaction & Function Control subcontrol (AC.L1-3.1.2[a]) focuses on implementing measures to regulate and control specific transactions and functions within an information system. This subcontrol ensures that users are authorized to perform only designated actions, preventing unauthorized or inappropriate activities that could compromise the integrity and confidentiality of data.

• Transaction & Function Control (AC.L1-3.1.2[b])

  The Transaction & Function Control subcontrol (AC.L1-3.1.2[b]) focuses on implementing measures to regulate and control specific transactions and functions within an information system. This subcontrol ensures that users are authorized to perform only designated actions, preventing unauthorized or inappropriate activities that could compromise the integrity and confidentiality of data.

• External Connections (AC.L1-3.1.20)

  The External Connections subcontrol (AC.L1-3.1.20) is designed to manage and control access to an information system from external entities. It focuses on implementing measures to secure connections and interactions with external networks, ensuring that only authorized and secure communications occur. This subcontrol is essential for protecting sensitive information and preventing unauthorized access through external connections.

• External Connections (AC.L1-3.1.20[a])

  The External Connections subcontrol (AC.L1-3.1.20[a]) addresses specific measures to manage and control access to an information system from external entities. It focuses on enhancing the security of external connections by implementing access controls, authentication mechanisms, and encryption protocols. This subcontrol aims to ensure that interactions with external networks are secure, authorized, and aligned with organizational security policies.

• External Connections (AC.L1-3.1.20[b])

  The External Connections subcontrol (AC.L1-3.1.20[b]) focuses on implementing specific measures to manage and control access to an information system from external entities. This subcontrol aims to enhance the security of external connections by implementing access controls, authentication mechanisms, and encryption protocols. It addresses the need for a tailored approach to managing external interactions, ensuring that these connections are secure, authorized, and compliant with organizational security policies.

• External Connections (AC.L1-3.1.20[c])

  The External Connections subcontrol (AC.L1-3.1.20[c]) focuses on implementing specific measures to manage and control access to an information system from external entities. This subcontrol aims to enhance the security of external connections by implementing access controls, authentication mechanisms, and encryption protocols. It addresses the need for a tailored approach to managing external interactions, ensuring that these connections are secure, authorized, and compliant with organizational security policies.

• External Connections (AC.L1-3.1.20[d])

  The External Connections subcontrol (AC.L1-3.1.20[d]) is designed to implement specific measures for managing and controlling access to an information system from external entities. This subcontrol focuses on enhancing the security of external connections through the implementation of access controls, authentication mechanisms, and encryption protocols. It emphasizes the need for a tailored approach to managing external interactions to ensure secure, authorized, and compliant connections with external entities.

• External Connections (AC.L1-3.1.20[e])

  The External Connections subcontrol (AC.L1-3.1.20[e]) is designed to implement specific measures for managing and controlling access to an information system from external entities. This subcontrol focuses on enhancing the security of external connections through the implementation of access controls, authentication mechanisms, and encryption protocols. It emphasizes the need for a tailored approach to managing external interactions to ensure secure, authorized, and compliant connections with external entities.

• External Connections (AC.L1-3.1.20[f])

  The External Connections subcontrol (AC.L1-3.1.20[f]) is designed to implement specific measures for managing and controlling access to an information system from external entities. This subcontrol focuses on enhancing the security of external connections through the implementation of access controls, authentication mechanisms, and encryption protocols. It emphasizes the need for a tailored approach to managing external interactions to ensure secure, authorized, and compliant connections with external entities

• Control Public Information (AC.L1-3.1.22)

  The Control Public Information subcontrol (AC.L1-3.1.22) focuses on implementing measures to control access to public information. This includes ensuring that information intended for public disclosure is appropriately managed and protected to prevent unauthorized access, disclosure, or modification.

• Control Public Information (AC.L1-3.1.22[a])

  The Control Public Information subcontrol (AC.L1-3.1.22[a]) focuses on implementing measures to control access to public information. This specific aspect emphasizes the need to clearly identify information intended for public disclosure and implement appropriate access controls to safeguard the integrity, confidentiality, and availability of such information.

• Control Public Information (AC.L1-3.1.22[b])

  The Control Public Information subcontrol (AC.L1-3.1.22[b]) focuses on implementing measures to control access to public information. This specific aspect emphasizes the need to clearly identify information intended for public disclosure and implement appropriate access controls to safeguard the integrity, confidentiality, and availability of such information.

• Control Public Information (AC.L1-3.1.22[c])

  The Control Public Information subcontrol (AC.L1-3.1.22[c]) is designed to implement measures for controlling access to information intended for public disclosure. It emphasizes the importance of identifying and managing public information to prevent unauthorized access, modification, or disclosure while ensuring the confidentiality and integrity of such information.

• Control Public Information (AC.L1-3.1.22[d])

  The Control Public Information subcontrol (AC.L1-3.1.22[d]) is designed to implement measures for controlling access to information intended for public disclosure. It emphasizes the importance of identifying and managing public information to prevent unauthorized access, modification, or disclosure while ensuring the confidentiality and integrity of such information.

• Control Public Information (AC.L1-3.1.22[e])

  The Control Public Information subcontrol (AC.L1-3.1.22[e]) is designed to implement measures for controlling access to information intended for public disclosure. It emphasizes the importance of identifying and managing public information to prevent unauthorized access, modification, or disclosure while ensuring the confidentiality and integrity of such information.

• Privacy & Security Notices (AC.L2-3.1.9)

  The Privacy & Security Notices subcontrol (AC.L2-3.1.9) focuses on implementing measures to provide clear and concise privacy and security notices to users accessing an information system. These notices serve to inform users about the security and privacy policies, terms of use, and any relevant regulations governing their use of the system.

• Privacy & Security Notices (AC.L2-3.1.9[a])

  The Privacy & Security Notices subcontrol (AC.L2-3.1.9[a]) focuses on implementing measures to provide clear and concise privacy and security notices to users accessing an information system. This specific aspect addresses the creation and maintenance of notices that specifically articulate user responsibilities, acceptable use policies, and relevant regulatory requirements.

• Privacy & Security Notices (AC.L2-3.1.9[b])

  The Privacy & Security Notices subcontrol (AC.L2-3.1.9[b]) focuses on implementing measures to provide clear and concise privacy and security notices to users accessing an information system. This specific aspect addresses the proper display and accessibility of these notices to ensure that users can easily access and understand the information provided.

• Portable Storage Use (AC.L2-3.1.21)

  The Portable Storage Use subcontrol (AC.L2-3.1.21) focuses on implementing measures to control the use of portable storage devices within an organization's information system. This includes USB drives, external hard drives, and other portable storage media. The goal is to prevent unauthorized use and mitigate the risks associated with the potential introduction of malicious software or unauthorized access through these devices.

• Portable Storage Use (AC.L2-3.1.21[a])

  The Portable Storage Use subcontrol (AC.L2-3.1.21[a]) specifically addresses the authorization and control of portable storage devices within an organization's information system. This entails defining and maintaining a list of authorized devices, ensuring that only approved portable storage media are used to minimize the risk of unauthorized data transfer, introduction of malware, and potential security incidents.

• Portable Storage Use (AC.L2-3.1.21[b])

  The Portable Storage Use subcontrol (AC.L2-3.1.21[b]) addresses the implementation of access controls to restrict the use of unauthorized portable storage devices within an organization's information system. This entails setting up mechanisms to monitor and audit the use of portable storage media, ensuring compliance with policies and preventing potential security risks.

• Portable Storage Use (AC.L2-3.1.21[c])

  The Portable Storage Use subcontrol (AC.L2-3.1.21[c]) focuses on establishing procedures for the regular review and update of the list of authorized portable storage devices. This includes assessing and adjusting the list based on security assessments, changes in technology, and operational needs to ensure ongoing protection against potential risks.

• Least Privilege (AC.L2-3.1.5)

  The Least Privilege subcontrol (AC.L2-3.1.5) focuses on restricting system access rights for users and processes to the minimum levels necessary to perform their job functions. This control aims to reduce the risk of unauthorized access, limit potential damage in the event of a security incident, and ensure that users only have access to the resources essential for their roles.

• Least Privilege (AC.L2-3.1.5[a])

  AC.L2-3.1.5[a] focuses on the principle of least privilege, which ensures that individuals and systems are granted only the minimum level of access necessary to perform their authorized tasks. This subcontrol aims to reduce the risk of unauthorized access, limit potential damage from accidental or intentional actions, and enhance overall system security.

• Least Privilege (AC.L2-3.1.5[b])

  The Least Privilege subcontrol (AC.L2-3.1.5[b]) extends the principle of least privilege to include the restriction of access rights for processes within an information system. It focuses on ensuring that processes, applications, and services operate with the minimum necessary privileges to perform their designated functions. This control further reduces the attack surface by limiting the potential impact of security incidents involving compromised processes.

• Least Privilege (AC.L2-3.1.5[c])

  The Least Privilege subcontrol (AC.L2-3.1.5[c]) extends the application of the principle of least privilege to system services. It involves restricting the access rights and privileges of system services to the minimum necessary for their proper functioning. By limiting the privileges granted to system services, organizations can minimize the potential impact of security incidents and reduce the attack surface.

• Least Privilege (AC.L2-3.1.5[d])

  The Least Privilege subcontrol (AC.L2-3.1.5[d]) emphasizes the application of the principle of least privilege to data repositories. It involves restricting access rights and privileges to data repositories to the minimum necessary for users, processes, and system services. By implementing least privilege principles for data access, organizations can enhance data security, prevent unauthorized access, and minimize the impact of potential security incidents.

• Non-Privileged Account Use (AC.L2-3.1.6)

  The Non-Privileged Account Use subcontrol (AC.L2-3.1.6) focuses on enforcing the use of non-privileged accounts for routine user activities. It aims to reduce the risk of unauthorized access and potential misuse by ensuring that users employ accounts with the minimum necessary privileges for their everyday tasks. This control contributes to overall access control measures and helps prevent security incidents associated with unnecessary elevated privileges.

• Non-Privileged Account Use (AC.L2-3.1.6[a])

  The Non-Privileged Account Use subcontrol (AC.L2-3.1.6[a]) focuses on ensuring the use of non-privileged accounts for specific administrative activities. It is designed to minimize the risk associated with elevated privileges by restricting the use of privileged accounts only when necessary for authorized administrative tasks. This control contributes to overall access control measures, reducing the attack surface and mitigating potential security incidents.

• Non-Privileged Account Use (AC.L2-3.1.6[b])

  The Non-Privileged Account Use subcontrol (AC.L2-3.1.6[b]) emphasizes the principle of using non-privileged accounts for non-administrative tasks. It focuses on restricting the use of accounts with elevated privileges to only those activities that require administrative access. By enforcing non-privileged account usage for routine user tasks, this control helps minimize the potential for unauthorized access and enhances overall access control measures.

• Unsuccessful Logon Attempts (AC.L2-3.1.8)

  The Unsuccessful Logon Attempts subcontrol (AC.L2-3.1.8) focuses on monitoring and responding to unsuccessful login attempts on information systems. It aims to enhance access control measures by promptly detecting and mitigating potential unauthorized access. This control involves setting thresholds for unsuccessful logon attempts, implementing alerting mechanisms, and establishing response procedures to safeguard against brute force attacks and unauthorized access.

• Unsuccessful Logon Attempts (AC.L2-3.1.8[a])

  The Unsuccessful Logon Attempts subcontrol (AC.L2-3.1.8[a]) focuses on configuring systems to log and monitor unsuccessful login attempts with a specific emphasis on administrator accounts. It aims to provide heightened scrutiny to potential unauthorized access to critical administrator accounts, enhancing access control measures and protecting sensitive administrative privileges.

• Unsuccessful Logon Attempts (AC.L2-3.1.8[b])

  The Unsuccessful Logon Attempts subcontrol (AC.L2-3.1.8[b]) focuses on configuring systems to log and monitor unsuccessful login attempts for regular user accounts. It aims to enhance access control measures by promptly detecting and responding to potential unauthorized access, thereby safeguarding against brute force attacks and other security threats targeted at user accounts.

• Session Lock (AC.L2-3.1.10)

  The Session Lock subcontrol (AC.L2-3.1.10) focuses on automatically initiating a session lock after a defined period of inactivity. It aims to enhance access control measures by preventing unauthorized access to an open session when the user is temporarily away from the system. This control is essential for protecting sensitive information and ensuring that access is restricted to authorized individuals during active sessions.

• Session Lock (AC.L2-3.1.10[a])

  The Session Lock subcontrol (AC.L2-3.1.10[a]) emphasizes the configuration of systems to automatically initiate a session lock after a defined period of inactivity for privileged accounts. It aims to strengthen access control measures by ensuring that sensitive privileged sessions are secure, even when users are temporarily away from their systems. This control is essential for preventing unauthorized access and protecting critical information handled by privileged accounts.

• Session Lock (AC.L2-3.1.10[b])

  The Session Lock subcontrol (AC.L2-3.1.10[b]) emphasizes the configuration of systems to automatically initiate a session lock after a defined period of inactivity for regular user accounts. It aims to enhance access control measures by ensuring that sensitive information in regular user sessions is secure, even when users are temporarily away from their systems. This control is crucial for preventing unauthorized access and protecting the confidentiality of information handled by regular users.

• Session Lock (AC.L2-3.1.10[c])

  The Session Lock subcontrol (AC.L2-3.1.10[c]) focuses on configuring systems to automatically initiate a session lock after a defined period of inactivity for privileged and regular user accounts. It aims to strengthen overall access control measures by ensuring the security of both privileged and regular user sessions. This control is essential for preventing unauthorized access, protecting sensitive information, and maintaining the confidentiality and integrity of user sessions.

• Wireless Access Authorization (AC.L2-3.1.16)

  The Wireless Access Authorization subcontrol (AC.L2-3.1.16) focuses on managing and controlling access to wireless networks within an organization. It aims to enhance access control measures by ensuring that wireless access points are properly authorized, configured securely, and monitored to prevent unauthorized access. This control is crucial for safeguarding the confidentiality, integrity, and availability of information transmitted over wireless networks.

• Wireless Access Authorization (AC.L2-3.1.16[a])

  The Wireless Access Authorization subcontrol (AC.L2-3.1.16[a]) focuses specifically on authorizing and managing the use of wireless access points for regular user accounts. It aims to enhance access control measures by ensuring that wireless networks are securely configured and monitored, reducing the risk of unauthorized access to sensitive information transmitted over these networks. This control is essential for maintaining the confidentiality, integrity, and availability of data accessed through wireless communication.

• Wireless Access Authorization (AC.L2-3.1.16[b])

  The Wireless Access Authorization subcontrol (AC.L2-3.1.16[b]) specifically addresses the authorization and management of wireless access points for privileged user accounts. It aims to enhance access control measures by ensuring that wireless networks designated for privileged users are securely configured and monitored, minimizing the risk of unauthorized access to sensitive information transmitted over these networks. This control is critical for maintaining the confidentiality, integrity, and availability of privileged data accessed through wireless communication.

• Control Remote Access (AC.L2-3.1.12)

  The Control Remote Access subcontrol (AC.L2-3.1.12) focuses on managing and securing remote access to organizational systems. It aims to enhance access control measures by implementing policies and technologies that control and monitor remote access to sensitive information. This control is crucial for preventing unauthorized access, protecting data integrity, and ensuring the confidentiality of information accessed remotely.

• Control Remote Access (AC.L2-3.1.12[a])

  The Control Remote Access subcontrol (AC.L2-3.1.12[a]) focuses on establishing a robust framework to control and monitor remote access specifically for regular user accounts. It aims to enhance access control measures by implementing policies and technologies that ensure secure and authorized remote access for individuals with regular user privileges. This control is essential for preventing unauthorized access, safeguarding data integrity, and maintaining the confidentiality of information accessed remotely by regular users.

• Control Remote Access (AC.L2-3.1.12[b])

  The Control Remote Access subcontrol (AC.L2-3.1.12[b]) specifically focuses on establishing a robust framework to control and monitor remote access for privileged user accounts. It aims to enhance access control measures by implementing policies and technologies that ensure secure and authorized remote access for individuals with privileged user privileges. This control is critical for preventing unauthorized access, safeguarding data integrity, and maintaining the confidentiality of privileged information accessed remotely.

• Control Remote Access (AC.L2-3.1.12[c])

  The Control Remote Access subcontrol (AC.L2-3.1.12[c]) addresses the need for controlling and monitoring remote access for privileged administrators specifically. It enhances access control measures by establishing policies and implementing technologies to secure and authorize remote access for administrators with elevated privileges. This control is crucial for preventing unauthorized access, protecting sensitive data, and ensuring the confidentiality and integrity of information accessed remotely by privileged administrators.

• Control Remote Access (AC.L2-3.1.12[d])

  The Control Remote Access subcontrol (AC.L2-3.1.12[d]) focuses on enhancing access control measures by specifically addressing remote access for regular users. It involves the development and implementation of policies and technologies to control and monitor remote access, ensuring secure and authorized connections for individuals with regular user privileges. This control is essential for preventing unauthorized access, protecting sensitive data, and maintaining the confidentiality and integrity of information accessed remotely by regular users

• Remote Access Routing (AC.L2-3.1.14)

  The Remote Access Routing subcontrol (AC.L2-3.1.14) is designed to secure and control the routing of remote access connections to organizational systems. It involves the implementation of policies and technologies to manage the routing of remote connections, ensuring that they adhere to secure configurations and follow approved pathways. This control is essential for preventing unauthorized access, protecting sensitive data, and maintaining the confidentiality and integrity of information accessed remotely

• Remote Access Routing (AC.L2-3.1.14[a])

  The Remote Access Routing subcontrol (AC.L2-3.1.14[a]) focuses on the secure management of routing for remote access connections to organizational systems, specifically addressing the routing of remote access for privileged users. It involves the development and implementation of policies and technologies to control and monitor the routing of privileged user remote connections, ensuring adherence to secure configurations and approved pathways. This control is crucial for preventing unauthorized access, safeguarding sensitive data, and maintaining the confidentiality and integrity of information accessed remotely by privileged users.

• Remote Access Routing (AC.L2-3.1.14[b])

  The Remote Access Routing subcontrol (AC.L2-3.1.14[b]) focuses on the secure management of routing for remote access connections to organizational systems, specifically addressing the routing of regular user remote access. It involves the development and implementation of policies and technologies to control and monitor the routing of regular user remote connections, ensuring adherence to secure configurations and approved pathways. This control is crucial for preventing unauthorized access, safeguarding sensitive data, and maintaining the confidentiality and integrity of information accessed remotely by regular users.

• Control CUI Flow (AC.L2-3.1.3)

  The Control CUI Flow subcontrol (AC.L2-3.1.3) is centered around the protection and control of Controlled Unclassified Information (CUI) within an organization's systems. It entails the development and implementation of policies, procedures, and technologies to manage the flow of CUI, ensuring that access is restricted to authorized personnel, and preventing unauthorized disclosure or alteration. This control is essential for safeguarding sensitive information, maintaining compliance with regulatory requirements, and upholding the confidentiality and integrity of CUI.

• Control CUI Flow (AC.L2-3.1.3[a])

  The Control CUI Flow subcontrol (AC.L2-3.1.3[a]) specifically addresses the controlled flow of Controlled Unclassified Information (CUI) within an organization's systems, focusing on privileged users' access to and handling of CUI. It entails the development and implementation of policies, procedures, and technologies to manage and restrict the flow of CUI, ensuring that access is granted only to authorized privileged users. This control is crucial for protecting sensitive information, meeting compliance requirements, and upholding the confidentiality and integrity of CUI.

• Control CUI Flow (AC.L2-3.1.3[b])

  The Control CUI Flow subcontrol (AC.L2-3.1.3[b]) focuses on the controlled flow of Controlled Unclassified Information (CUI) within an organization's systems, specifically addressing the handling of CUI by regular users. It entails the development and implementation of policies, procedures, and technologies to manage and restrict the flow of CUI, ensuring that access is granted only to authorized regular users. This control is crucial for protecting sensitive information, meeting compliance requirements, and upholding the confidentiality and integrity of CUI.

• Control CUI Flow (AC.L2-3.1.3[c])

  The Control CUI Flow subcontrol (AC.L2-3.1.3[c]) addresses the controlled flow of Controlled Unclassified Information (CUI) within an organization's systems, specifically focusing on the collaboration and sharing of CUI with external entities. It involves the development and implementation of policies, procedures, and technologies to manage and secure the flow of CUI when shared or exchanged with external parties. This control is essential for protecting sensitive information, ensuring compliance with regulatory requirements, and maintaining the confidentiality and integrity of CUI during external collaborations.

• Control CUI Flow (AC.L2-3.1.3[d])

  The Control CUI Flow subcontrol (AC.L2-3.1.3[d]) emphasizes the need to manage the flow of Controlled Unclassified Information (CUI) within an organization's systems with a specific focus on the prevention of data exfiltration. It involves the development and implementation of policies, procedures, and technologies to detect and prevent unauthorized exfiltration of CUI from the organization. This control is vital for protecting sensitive information, ensuring compliance with regulatory requirements, and maintaining the confidentiality and integrity of CUI by preventing unauthorized data transfers.

• Control CUI Flow (AC.L2-3.1.3[e])

  The Control CUI Flow subcontrol (AC.L2-3.1.3[e]) addresses the secure and controlled flow of Controlled Unclassified Information (CUI) within an organization's systems with a specific focus on the prevention of unauthorized access. It involves the development and implementation of policies, procedures, and technologies to manage and restrict the flow of CUI within the organization, ensuring that only authorized personnel have access to sensitive information. This control is essential for protecting sensitive data, maintaining compliance with regulatory requirements, and upholding the confidentiality and integrity of CUI.

• Wireless Access Protection (AC.L2-3.1.17)

  The Wireless Access Protection subcontrol (AC.L2-3.1.17) is designed to ensure the secure and controlled use of wireless technologies within an organization. It focuses on the development and implementation of policies, procedures, and technologies to safeguard wireless access points and devices. This control aims to prevent unauthorized access, interception, and exploitation of data transmitted over wireless networks. Proper wireless access protection is crucial for maintaining the confidentiality, integrity, and availability of sensitive information and systems.

• Wireless Access Protection (AC.L2-3.1.17[a])

  Wireless Access Protection (AC.L2-3.1.17[a]) focuses on securing and controlling wireless access points within an organization. This subcontrol specifically addresses the need for strong encryption protocols, authentication mechanisms, and monitoring to safeguard against unauthorized access and potential security risks associated with wireless technologies. By implementing policies, procedures, and technologies, organizations can ensure the confidentiality, integrity, and availability of their wireless networks.

• Wireless Access Protection (AC.L2-3.1.17[b])

  Wireless Access Protection (AC.L2-3.1.17[b]) addresses the secure configuration and control of wireless access points within an organization. This subcontrol emphasizes the importance of managing and securing configurations to prevent unauthorized access and potential security risks related to wireless technologies. By implementing specific policies, procedures, and technologies, organizations can enhance the resilience of their wireless networks, ensuring the confidentiality, integrity, and availability of data.

• Remote Access Confidentiality (AC.L2-3.1.13)

  Remote Access Confidentiality (AC.L2-3.1.13) is a subcontrol under the Access Control (AC) domain in the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on ensuring the confidentiality of data during remote access to organizational systems. It involves implementing measures and controls to secure the transmission of sensitive information, preventing unauthorized access or interception during remote sessions. By addressing remote access confidentiality, organizations can safeguard sensitive data and maintain compliance with security and privacy requirements.

• Remote Access Confidentiality (AC.L2-3.1.13[a])

  Remote Access Confidentiality (AC.L2-3.1.13[a]) focuses on enhancing the confidentiality of data transmitted during remote access sessions within an organization. This subcontrol under the Access Control (AC) domain in the Cybersecurity Maturity Model Certification (CMMC) framework aims to mitigate the risks associated with unauthorized interception and access during remote connections. By implementing specific measures, organizations can secure remote access channels, protecting sensitive information from exposure and ensuring compliance with security and privacy standards.

• Remote Access Confidentiality (AC.L2-3.1.13[b])

  Remote Access Confidentiality (AC.L2-3.1.13[b]) emphasizes further measures for enhancing the confidentiality of data during remote access sessions within the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol under the Access Control (AC) domain addresses additional considerations and practices to fortify the security of remote connections. By implementing these measures, organizations can reinforce the protection of sensitive information and ensure the integrity of remote access channels against various threats.

• Separation of Duties (AC.L2-3.1.4)

  Separation of Duties (AC.L2-3.1.4) is a subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on preventing conflicts of interest and enhancing security by distributing tasks and responsibilities among different individuals or roles within an organization. By implementing Separation of Duties, organizations can reduce the risk of unauthorized activities, errors, and fraudulent actions, thereby strengthening the overall access control posture.

• Separation of Duties (AC.L2-3.1.4[a])

  Separation of Duties (AC.L2-3.1.4[a]) is a specific aspect within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol addresses the need to carefully delineate roles and responsibilities within an organization to prevent conflicts of interest and enhance overall security. By implementing Separation of Duties at a granular level, organizations can significantly reduce the risk of unauthorized access, errors, and fraud, contributing to a more robust access control environment.

• Separation of Duties (AC.L2-3.1.4[b])

  Separation of Duties (AC.L2-3.1.4[b]) extends the principles of the Access Control (AC) domain within the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol delves into the need for detailed and strategic role management to prevent conflicts and enhance security. By emphasizing the importance of Separation of Duties at a broader organizational level, this subcontrol aims to mitigate risks associated with unauthorized access, errors, and fraudulent activities.

• Separation of Duties (AC.L2-3.1.4[c])

  Separation of Duties (AC.L2-3.1.4[c]) is a nuanced component within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol specifically addresses the necessity of defining and maintaining separation of duties in a manner that mitigates risks and strengthens security. By focusing on clear role distinctions and responsibilities, Separation of Duties aims to minimize conflicts, prevent unauthorized access, and foster a culture of accountability within the organization.

• Privileged Functions (AC.L2-3.1.7)

  Privileged Functions (AC.L2-3.1.7) is a critical subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on restricting and controlling access to privileged functions within an organization's information systems. By implementing measures to manage and monitor privileged access, organizations can significantly reduce the risk of unauthorized or malicious activities that could compromise sensitive data and critical systems.

• Privileged Functions (AC.L2-3.1.7[a])

  Privileged Functions (AC.L2-3.1.7[a]) is a specific aspect within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol addresses the need to carefully manage and monitor access to critical and privileged functions within an organization's information systems. By implementing measures to control and restrict privileged access, organizations can enhance their overall security posture and protect sensitive data and critical systems from unauthorized or malicious activities.

• Privileged Functions (AC.L2-3.1.7[b])

  Privileged Functions (AC.L2-3.1.7[b]) constitutes a pivotal element within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the need to regulate and oversee access to crucial privileged functions within an organization's systems. By implementing stringent controls and monitoring mechanisms for these functions, entities can effectively mitigate the risks associated with unauthorized or malicious activities that could compromise critical systems and sensitive data.

• Privileged Functions (AC.L2-3.1.7[c])

  Privileged Functions (AC.L2-3.1.7[c]) plays a pivotal role within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on the imperative to carefully manage and monitor access to critical privileged functions within an organization's information systems. By implementing stringent controls and comprehensive monitoring mechanisms for these functions, organizations can significantly reduce the risk of unauthorized or malicious activities that may compromise critical systems and sensitive data.

• Privileged Functions (AC.L2-3.1.7[d])

  Privileged Functions (AC.L2-3.1.7[d]) holds significance within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the critical need to meticulously manage and monitor access to privileged functions within an organization's information systems. By implementing robust controls and continuous monitoring for these functions, organizations can mitigate the risk of unauthorized or malicious activities, safeguarding critical systems and sensitive data.

• Session Termination (AC.L2-3.1.11)

  Session Termination (AC.L2-3.1.11) is a critical component within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on the importance of ensuring secure and timely termination of user sessions within an organization's information systems. By implementing effective session termination controls, organizations can reduce the risk of unauthorized access and enhance the overall security posture of their systems.

• Session Termination (AC.L2-3.1.11[a])

  Session Termination (AC.L2-3.1.11[a]) is a crucial aspect of the Access Control (AC) domain within the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol specifically addresses the need for organizations to define and enforce policies related to the automatic termination of user sessions after a specified period of inactivity. By implementing effective session termination controls, organizations can mitigate the risk of unauthorized access and enhance the overall security posture of their information systems.

• Session Termination (AC.L2-3.1.11[b])

  Session Termination (AC.L2-3.1.11[b]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the importance of defining and implementing policies for the automatic termination of user sessions after a specified period of inactivity. By addressing the potential security risks associated with inactive sessions, organizations can enhance their overall security posture and minimize the risk of unauthorized access.

• Mobile Device Connection (AC.L2-3.1.18)

  Mobile Device Connection (AC.L2-3.1.18) is a critical subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on managing and controlling the connections of mobile devices to organizational information systems. By establishing effective controls over mobile device connections, organizations can mitigate the risks associated with unauthorized access and potential security breaches.

• Mobile Device Connection (AC.L2-3.1.18[a])

  Mobile Device Connection (AC.L2-3.1.18[a]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on establishing policies and controls for managing the connection of mobile devices to organizational information systems. The objective is to ensure that these connections are secure, authorized, and aligned with organizational security policies

• Mobile Device Connection (AC.L2-3.1.18[b])

  Mobile Device Connection (AC.L2-3.1.18[b]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on implementing technical measures to secure the connection of mobile devices to organizational information systems. The goal is to ensure that these connections adhere to established security policies, protecting against unauthorized access and potential security breaches.

• Mobile Device Connection (AC.L2-3.1.18[c])

  Mobile Device Connection (AC.L2-3.1.18[c]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on monitoring and auditing mobile device connections to organizational information systems. The objective is to maintain visibility and ensure accountability, detecting and responding to unauthorized or suspicious activities related to mobile device connections.

• Privileged Remote Access (AC.L2-3.1.15)

  Privileged Remote Access (AC.L2-3.1.15) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on governing and securing privileged remote access to organizational information systems. The objective is to ensure that access to sensitive systems from remote locations is tightly controlled, monitored, and limited to authorized personnel with elevated privileges.

• Privileged Remote Access (AC.L2-3.1.15[a])

  Privileged Remote Access (AC.L2-3.1.15[a]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on the implementation of Multi-Factor Authentication (MFA) for privileged remote access to organizational information systems. The objective is to enhance the security of remote connections by requiring multiple forms of authentication, reducing the risk of unauthorized access.

• Privileged Remote Access (AC.L2-3.1.15[b])

  Privileged Remote Access (AC.L2-3.1.15[b]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on implementing and enforcing access controls for privileged remote access to organizational information systems. The objective is to restrict and manage remote access privileges for individuals with elevated access rights, reducing the risk of unauthorized or inappropriate system access.

• Privileged Remote Access (AC.L2-3.1.15[c])

  Privileged Remote Access (AC.L2-3.1.15[c]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on the continuous monitoring and auditing of privileged remote access to organizational information systems. The objective is to maintain visibility into remote access activities, detect anomalies, and respond promptly to potential security incidents.

• Privileged Remote Access (AC.L2-3.1.15[d])

  Privileged Remote Access (AC.L2-3.1.15[d]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on establishing and enforcing secure connections for privileged remote access to organizational information systems. The objective is to ensure the confidentiality and integrity of data during remote sessions involving privileged accounts.

• Encrypt CUI on Mobile (AC.L2-3.1.19)

  Encrypt CUI on Mobile (AC.L2-3.1.19) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol focuses on protecting Controlled Unclassified Information (CUI) stored on mobile devices by employing encryption. The objective is to safeguard the confidentiality and integrity of sensitive information even when accessed or stored on mobile platforms.

• Encrypt CUI on Mobile (AC.L2-3.1.19[a])

  Encrypt CUI on Mobile (AC.L2-3.1.19[a]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the need for organizations to implement encryption specifically for Controlled Unclassified Information (CUI) stored on mobile devices. The goal is to enhance the security of sensitive information by ensuring that it remains protected through encryption on mobile platforms.

• Encrypt CUI on Mobile (AC.L2-3.1.19[b])

  Encrypt CUI on Mobile (AC.L2-3.1.19[b]) is a specific subcontrol within the Access Control (AC) domain of the Cybersecurity Maturity Model Certification (CMMC) framework. This subcontrol emphasizes the importance of implementing encryption mechanisms tailored for mobile devices to protect Controlled Unclassified Information (CUI) from unauthorized access or exposure. The focus is on ensuring that encryption practices on mobile platforms align with security requirements for sensitive information.