CMMC 2.11 Control Explorer



CMMC Level


Can Be POA&M'd

ID Level Domain Title Requirement Points
AC.L1-b.1.i1Access ControlAuthorized Access Control [FCI Data]

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

AC.L1-b.1.ii1Access ControlTransaction & Function Control [FCI Data]

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

AC.L1-b.1.iii1Access ControlExternal Connections [FCI Data]

Verify and control/limit connections to and use of external information systems.

AC.L1-b.1.iv1Access ControlControl Public Information [FCI Data]

Control information posted or processed on publicly accessible information systems.

IA.L1-b.1.v1Identification and AuthenticationIdentification [FCI Data]

Identify information system users, processes acting on behalf of users, or devices.

IA.L1-b.1.vi1Identification and AuthenticationAuthentication [FCI Data]

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

MP.L1-b.1.vii1Media ProtectionMedia Disposal [FCI Data]

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

PE.L1-b.1.ix1Physical ProtectionManage Visitors & Physical Access [FCI Data]

Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

PE.L1-b.1.viii1Physical ProtectionLimit Physical Access [FCI Data]

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

SC.L1-b.1.x1System and Communications ProtectionBoundary Protection [FCI Data]

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

SC.L1-b.1.xi1System and Communications ProtectionPublic-Access System Separation [FCI Data]

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

SI.L1-b.1.xii1System and Information IntegrityFlaw Remediation [FCI Data]

Identify, report, and correct information and information system flaws in a timely manner.

SI.L1-b.1.xiii1System and Information IntegrityMalicious Code Protection [FCI Data]

Provide protection from malicious code at appropriate locations within organizational information systems.

SI.L1-b.1.xiv1System and Information IntegrityUpdate Malicious Code Protection [FCI Data]

Update malicious code protection mechanisms when new releases are available.

SI.L1-b.1.xv1System and Information IntegritySystem & File Scanning [FCI Data]

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.