Search
Domain
CMMC Level
Points
Can Be POA&M'd
ID | Level | Domain | Title | Requirement | Points |
---|---|---|---|---|---|
AC.L3-3.1.2e | 3 | Access Control | Organizationally Controlled Assets | Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization. | 1 |
AC.L3-3.1.3e | 3 | Access Control | Secured Information Transfer | Employ secure information transfer solutions to control information flows between security domains on connected systems. | 1 |
AT.L3-3.2.1e | 3 | Awareness and Training | Advanced Threat Awareness | Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. | 1 |
AT.L3-3.2.2e | 3 | Awareness and Training | Practical Training Exercises | Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors. | 1 |
CA.L3-3.12.1e | 3 | Security Assessment | Penetration Testing | Conduct penetration testing at least annually or when significant security changes are made to the system, leveraging automated scanning tools and ad hoc tests using subject matter experts. | 1 |
CM.L3-3.4.1e | 3 | Configuration Management | Authoritative Repository | Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components. | 1 |
CM.L3-3.4.2e | 3 | Configuration Management | Automated Detection & Remediation | Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, remove the components or place the components in a quarantine or remediation network to facilitate patching, re-configuration, or other mitigations. | 1 |
CM.L3-3.4.3e | 3 | Configuration Management | Automated Inventory | Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components. | 1 |
IA.L3-3.5.1e | 3 | Identification and Authentication | Bidirectional Authentication | Identify and authenticate systems and system components, where possible, before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant. | 1 |
IA.L3-3.5.3e | 3 | Identification and Authentication | Block Untrusted Assets | Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile. | 1 |
IR.L3-3.6.1e | 3 | Incident response | Security Operations Center | Establish and maintain a security operations center capability that operates 24/7, with allowance for remote/on-call staff. | 1 |
IR.L3-3.6.2e | 3 | Incident response | Cyber Incident Response Team | Establish and maintain a cyber incident response team that can be deployed by the organization within 24 hours. | 1 |
PS.L3-3.9.2e | 3 | Personnel Security | Adverse Information | Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI. | 1 |
RA.L3-3.11.1e | 3 | Risk Assessment | Threat-Informed Risk Assessment | Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities. | 1 |
RA.L3-3.11.2e | 3 | Risk Assessment | Threat Hunting | Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls. | 1 |
RA.L3-3.11.3e | 3 | Risk Assessment | Advanced Risk Identification | Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components. | 1 |
RA.L3-3.11.4e | 3 | Risk Assessment | Security Solution Rationale | Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination. | 1 |
RA.L3-3.11.5e | 3 | Risk Assessment | Security Solution Effectiveness | Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat information, or in response to a relevant cyber incident, to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence. | 1 |
RA.L3-3.11.6e | 3 | Risk Assessment | Supply Chain Risk Response | Assess, respond to, and monitor supply chain risks associated with organizational systems and system components. | 1 |
RA.L3-3.11.7e | 3 | Risk Assessment | Supply Chain Risk Plan | Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan at least annually, and upon receipt of relevant cyber threat information, or in response to a relevant cyber incident. | 1 |
SC.L3-3.13.4e | 3 | System and Communications Protection | Isolation | Employ physical isolation techniques or logical isolation techniques or both in organizational systems and system components. | 1 |
SI.L3-3.14.1e | 3 | System and Information Integrity | Integrity Verification | Verify the integrity of security critical and essential software using root of trust mechanisms or cryptographic signatures. | 1 |
SI.L3-3.14.3e | 3 | System and Information Integrity | Specialized Asset Security | Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems and test equipment are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks. | 1 |
SI.L3-3.14.6e | 3 | System and Information Integrity | Threat-Guided Intrusion Detection | Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting. | 1 |