CMMC

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is aimed at measuring the maturity of an organization's cybersecurity processes (process institutionalization). The version used in this section is CMMC 2.0.

Control-Requirement Mapping

Definition	Requirements
AC_L1-3_1_1. Authorized access control	176. Restrict system objects 227. Display access notification 265. Restrict access to critical processes 033. Restrict administrative access 035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
AC_L1-3_1_2. Transaction & function control	147. Use pre-existent mechanisms 174. Transactions without a distinguishable pattern 176. Restrict system objects 229. Request access credentials 264. Request authentication 265. Restrict access to critical processes 346. Use initialization vectors once 030. Avoid object reutilization 084. Allow transaction history queries
AC_L1-3_1_20. External connections	262. Verify third-party components 284. Define maximum number of connections 324. Control redirects 330. Verify Subresource Integrity 092. Use externally signed certificates
AC_L1-3_1_22. Control public information	123. Restrict the reading of emails 261. Avoid exposing sensitive information 325. Protect WSDL files 364. Provide extended validation (EV) certificates 045. Remove metadata when sharing files
AC_L2-3_1_3. Control CUI flow	331. Guarantee legal compliance
AC_L2-3_1_4. Separation of duties	033. Restrict administrative access 035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
AC_L2-3_1_5. Least privilege	186. Use the principle of least privilege
AC_L2-3_1_6. Non-privileged account use	033. Restrict administrative access 096. Set user's required privileges
AC_L2-3_1_7. Privileged functions	035. Manage privilege modifications 080. Prevent log modification 083. Avoid logging sensitive data
AC_L2-3_1_8. Unsuccessful logon attempts	131. Deny multiple password changing attempts 210. Delete information from mobile devices 225. Proper authentication responses 226. Avoid account lockouts 227. Display access notification
AC_L2-3_1_9. Privacy & security notices	225. Proper authentication responses 227. Display access notification 301. Notify configuration changes 318. Notify third parties of changes 358. Notify upcoming expiration dates
AC_L2-3_1_10. Session lock	114. Deny access with inactive credentials 144. Remove inactive accounts periodically 027. Allow session lockout
AC_L2-3_1_11. Session termination	141. Force re-authentication 023. Terminate inactive user sessions 031. Discard user session data
AC_L2-3_1_12. Control remote access	153. Out of band transactions 213. Allow geographic location 253. Restrict network access 257. Access based on user credentials 377. Store logs based on valid regulation
AC_L2-3_1_13. Remote access confidentiality	147. Use pre-existent mechanisms 172. Encrypt connection strings 181. Transmit data using secure protocols 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
AC_L2-3_1_14. Remote access routing	249. Locate access points 250. Manage access points 320. Avoid client-side control enforcement
AC_L2-3_1_15. Privileged remote access	095. Define users with privileges 096. Set user's required privileges
AC_L2-3_1_16. Wireless access authorization	253. Restrict network access
AC_L2-3_1_17. Wireless access protection	250. Manage access points 252. Configure key encryption 253. Restrict network access 255. Allow access only to the necessary ports
AC_L2-3_1_18. Mobile device connection	205. Configure PIN 206. Configure communication protocols 213. Allow geographic location
AC_L2-3_1_19. Encrypt CUI on mobile	185. Encrypt sensitive information 329. Keep client-side storage without sensitive data 026. Encrypt client-side session information
AC_L2-3_1_21. Portable storage use	210. Delete information from mobile devices 214. Allow data destruction
AT_L2-3_2_1. Role-based risk awareness	155. Application free of malicious code 156. Source code without sensitive information 158. Use a secure programming language 161. Define secure default options 167. Close unused resources 171. Remove commented-out code 062. Define standard configurations 077. Avoid disclosing technical information
AU_L2-3_3_1. System audit	376. Register severity level 377. Store logs based on valid regulation 378. Use of log management system 075. Record exceptional events in logs
AU_L2-3_3_2. User accountability	075. Record exceptional events in logs 079. Record exact occurrence time of events 085. Allow session history queries
AU_L2-3_3_3. Event review	322. Avoid excessive logging 075. Record exceptional events in logs
AU_L2-3_3_4. Audit failure alerting	225. Proper authentication responses 301. Notify configuration changes 313. Inform inability to identify users
AU_L2-3_3_7. Authoritative time source	363. Synchronize system clocks 079. Record exact occurrence time of events
AU_L2-3_3_8. Audit protection	080. Prevent log modification
AU_L2-3_3_9. Audit management	378. Use of log management system 095. Define users with privileges
CM_L2-3_4_2. Security configuration enforcement	266. Disable insecure functionalities 273. Define a fixed security suite 062. Define standard configurations
CM_L2-3_4_3. System change management	301. Notify configuration changes 378. Use of log management system
CM_L2-3_4_5. Access restrictions for change	176. Restrict system objects 253. Restrict network access 265. Restrict access to critical processes 033. Restrict administrative access
CM_L2-3_4_6. Least functionality	186. Use the principle of least privilege
CM_L2-3_4_7. Nonessential functionality	167. Close unused resources
CM_L2-3_4_8. Application execution policy	313. Inform inability to identify users
CM_L2-3_4_9. User-installed software	320. Avoid client-side control enforcement 329. Keep client-side storage without sensitive data 352. Enable trusted execution 375. Remove sensitive data from client-side applications 026. Encrypt client-side session information
IA_L1-3_5_2. Authentication	122. Validate credential ownership 229. Request access credentials 264. Request authentication
IA_L2-3_5_3. Multifactor authentication	328. Request MFA for critical systems 362. Assign MFA mechanisms to a single account
IA_L2-3_5_4. Replay-resistant authentication	030. Avoid object reutilization 033. Restrict administrative access
IA_L2-3_5_5. Identifier reuse	140. Define OTP lifespan 335. Define out of band token lifespan 030. Avoid object reutilization
IA_L2-3_5_6. Identifier handling	114. Deny access with inactive credentials 144. Remove inactive accounts periodically 369. Set a maximum lifetime in sessions 023. Terminate inactive user sessions
IA_L2-3_5_7. Password complexity	129. Validate previous passwords 131. Deny multiple password changing attempts 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length 334. Avoid knowledge-based authentication
IA_L2-3_5_8. Password reuse	130. Limit password lifespan 332. Prevent the use of breached passwords
IA_L2-3_5_9. Temporary passwords	126. Set a password regeneration mechanism 136. Force temporary password change 137. Change temporary passwords of third parties 138. Define lifespan for temporary passwords 367. Proper generation of temporary passwords
IA_L2-3_5_10. Cryptographically-protected passwords	127. Store hashed passwords 134. Store passwords with salt 209. Manage passwords in cache 380. Define a password management tool
MA_L2-3_7_3. Equipment sanitization	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
MA_L2-3_7_4. Media inspection	155. Application free of malicious code 041. Scan files for malicious code
MA_L2-3_7_5. Nonlocal maintenance	328. Request MFA for critical systems 362. Assign MFA mechanisms to a single account
MP_L1-3_8_3. Media disposal	183. Delete sensitive data securely 315. Provide processed data information 317. Allow erasure requests 318. Notify third parties of changes 360. Remove unnecessary sensitive information
MP_L2-3_8_1. Media protection	153. Out of band transactions 232. Require equipment identity 255. Allow access only to the necessary ports 350. Enable memory protection mechanisms 351. Assign unique keys to each device 362. Assign MFA mechanisms to a single account
MP_L2-3_8_2. Media access	176. Restrict system objects 205. Configure PIN 229. Request access credentials 264. Request authentication 351. Assign unique keys to each device
MP_L2-3_8_5. Media accountability	153. Out of band transactions 181. Transmit data using secure protocols
MP_L2-3_8_6. Portable storage encryption	185. Encrypt sensitive information 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
MP_L2-3_8_7. Removable media	205. Configure PIN 210. Delete information from mobile devices 213. Allow geographic location 214. Allow data destruction 221. Disconnect unnecessary input devices 255. Allow access only to the necessary ports 326. Detect rooted devices
MP_L2-3_8_8. Shared media	232. Require equipment identity
PE_L1-3_10_1. Limit physical access	250. Manage access points 257. Access based on user credentials 273. Define a fixed security suite 362. Assign MFA mechanisms to a single account
PE_L1-3_10_4. Physical access logs	075. Record exceptional events in logs 085. Allow session history queries
PE_L1-3_10_5. Manage physical access	205. Configure PIN 255. Allow access only to the necessary ports 362. Assign MFA mechanisms to a single account 373. Use certificate pinning
PE_L2-3_10_6. Alternative work sites	273. Define a fixed security suite
RA_L2-3_11_2. Vulnerability scan	155. Application free of malicious code 041. Scan files for malicious code 062. Define standard configurations
CA_L2-3_12_2. Plan of action	161. Define secure default options 164. Use optimized structures 175. Protect pages from clickjacking 262. Verify third-party components 273. Define a fixed security suite 340. Use octet stream downloads 345. Establish protections against overflows 039. Define maximum file size
CA_L2-3_12_3. Security control monitoring	376. Register severity level 378. Use of log management system 075. Record exceptional events in logs 079. Record exact occurrence time of events
SC_L1-3_13_1. Boundary protection	145. Protect system cryptographic keys 147. Use pre-existent mechanisms 206. Configure communication protocols 224. Use secure cryptographic mechanisms 249. Locate access points 250. Manage access points 252. Configure key encryption 253. Restrict network access 255. Allow access only to the necessary ports 257. Access based on user credentials 336. Disable insecure TLS versions 338. Implement perfect forward secrecy 346. Use initialization vectors once 030. Avoid object reutilization
SC_L1-3_13_5. Public-access system separation	259. Segment the organization network
SC_L2-3_13_3. Role separation	095. Define users with privileges 096. Set user's required privileges
SC_L2-3_13_4. Shared resource control	127. Store hashed passwords 176. Restrict system objects 075. Record exceptional events in logs 096. Set user's required privileges
SC_L2-3_13_6. Network communication by exception	341. Use the principle of deny by default 359. Avoid using generic exceptions
SC_L2-3_13_7. Split tunneling	284. Define maximum number of connections 025. Manage concurrent sessions
SC_L2-3_13_8. Data in transit	147. Use pre-existent mechanisms 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 077. Avoid disclosing technical information
SC_L2-3_13_9. Connections termination	023. Terminate inactive user sessions 031. Discard user session data
SC_L2-3_13_10. Key management	145. Protect system cryptographic keys 151. Separate keys for encryption and signatures 252. Configure key encryption 351. Assign unique keys to each device
SC_L2-3_13_13. Mobile code	205. Configure PIN
SC_L2-3_13_15. Communications authenticity	147. Use pre-existent mechanisms 178. Use digital signatures 338. Implement perfect forward secrecy 030. Avoid object reutilization
SC_L2-3_13_16. Data at rest	146. Remove cryptographic keys from RAM 329. Keep client-side storage without sensitive data 062. Define standard configurations
SI_L1-3_14_2. Malicious code protection	155. Application free of malicious code 041. Scan files for malicious code
SI_L1-3_14_4. Update malicious code protection	353. Schedule firmware updates
SI_L1-3_14_5. System & file scanning	323. Exclude unverifiable files 339. Avoid storing sensitive files in the web root 340. Use octet stream downloads 352. Enable trusted execution 041. Scan files for malicious code
SI_L2-3_14_3. Security alerts & advisories	075. Record exceptional events in logs
SI_L2-3_14_7. Identify unauthorized use	376. Register severity level 075. Record exceptional events in logs 079. Record exact occurrence time of events

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.