Select Page

Understand the Cybersecurity Maturity Model Certification (CMMC) Requirements

This guide is designed to help you understand the Cybersecurity Maturity Model Certification (CMMC) Requirements. This applies to CMMC Level 1, CMMC Level 2, CMMC Level 3, CMMC Level 4, CMMC Level 5, DFARS 7021, NIST800-171.

Who can use this CMMC Implementation Guide?

Any companies that need to implement CMMC for certification. Types of companies inlcude manufacturers, machine shops, DoD Contractors, Prime Subcontractors or third parties working with CUI data as part of their supply chain.

How can ChatFortress help you implement CMMC?

How to Implement a CMMC Audit/Assessment using CMMC Software Tool?

Here are the List of CMMC Requirements. You can choose from the list here for a more detailed explainer of what it means and how it applies.

We provide you with a CMMC Clarification- This is where we help you understand what this means and how it applies to your company. If you need further help, I’d recommend activating your ChatFortress Easy Compliance CMMC Assessment Tool because inside that tool; you will find more details on how to meet these CMMC Requirements.

CMMC Practice Requirement Questionnaire 

To help you understand the CMMC Gap Assessment I’m providing you with the list of CMMC practice requirements. When you visit you will be provided with our Gap Assessment tool along with our detailed examples for each of the questions asked for CMMC. This helps you to understand the goal and application of each question. If you are reading the CMMC Practice Requirements and are confused that’s ok. Our team has translated the requirements into easy-to-understand and implement steps.

Note: Remember you need to satisfy the three elements for each of these questions 1. Documentation, 2. Systems & Processes, 3. Validation. As you read each requirement you might want to ask yourself the relevant questions about each requirement. CMMC is no longer self-assessment but validating to an auditor you are meeting each of the requirements.

DomainSectionCMMC Practice Requirement:
Access ControlAC.1.001Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Access ControlAC.1.002Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Access ControlAC.1.003Verify and control/limit connections to and use of external information systems.
Access ControlAC.1.004Control information posted or processed on publicly accessible information systems.
Access ControlAC.2.005Provide privacy and security notices consistent with applicable “Controlled Unclassified Information” (CUI) rules.
Access ControlAC.2.006Limit use of portable storage devices on external systems.
Access ControlAC.2.007Employ the principle of least privilege, including for specific security functions and privileged accounts.
Access ControlAC.2.008Use non-privileged accounts or roles when accessing nonsecurity functions.
Access ControlAC.2.009Limit unsuccessful logon attempts.
Access ControlAC.2.010Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
Access ControlAC.2.011Authorize wireless access prior to allowing such connections.
Access ControlAC.3.012Protect wireless access using authentication and encryption.
Access ControlAC.2.013Monitor and control remote access sessions.
Access ControlAC.3.014Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Access ControlAC.2.015Route remote access via managed access control points.
Access ControlAC.2.016Control the flow of Federal Contract Information in accordance with approved authorizations.
Access ControlAC.3.017Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Access ControlAC.3.018Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
Access ControlAC.3.019Terminate (automatically) user sessions after a defined condition.
Access ControlAC.3.020Control connection of mobile devices.
Access ControlAC.3.021Authorize remote execution of privileged commands and remote access to security relevant information.
Access ControlAC.3.022Encrypt CUI on mobile devices and mobile computing platforms.
Access ControlAC.4.023Control information flows between security domains on connected systems.
Access ControlAC.4.025Periodically review and update CUI program access permissions.
Access ControlAC.4.032Restrict remote network access based on organizational defined risk factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.
Access ControlAC.5.024Identify and mitigate risk associated with unidentified wireless access points connected to the network.
Asset ManagementAM.3.036Define procedures for the handling of “Controlled Unclassified Information” (CUI) data.
Asset ManagementAM.4.226Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
Audit and AccountabilityAU.2.041Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Audit and AccountabilityAU.2.042Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Audit and AccountabilityAU.2.043Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Audit and AccountabilityAU.2.044Review audit logs.
Audit and AccountabilityAU.3.045Review and update logged events.
Audit and AccountabilityAU.3.046Alert in the event of an audit logging process failure.
Audit and AccountabilityAU.3.048Collect audit logs into one or more central repositories.
Audit and AccountabilityAU.3.049Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Audit and AccountabilityAU.3.050Limit management of audit logging functionality to a subset of privileged users.
Audit and AccountabilityAU.3.051Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Audit and AccountabilityAU.3.052Provide audit record reduction and report generation to support on-demand analysis and reporting.
Audit & AccountabilityAU.4.053Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally-defined suspicious activity.
Audit & AccountabilityAU.4.054Review audit information for broad activity in addition to per-machine activity.
Audit & AccountabilityAU.5.055Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
Awareness and TrainingAT.2.056Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Awareness and TrainingAT.2.057Ensure that personnel are trained to carry out their assigned information security related duties and responsibilities.
Awareness & TrainingAT.3.058Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Awareness & TrainingAT.4.059Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
Awareness & TrainingAT.4.060Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
Awareness and TrainingAT.3.058Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Configuration ManagementCM.2.061Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Configuration ManagementCM.2.062Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Configuration ManagementCM.2.063Control and monitor user-installed software.
Configuration ManagementCM.2.064Establish and enforce security configuration settings for information technology products employed in organizational systems
Configuration ManagementCM.2.065Track, review, approve, or disapprove, and log changes to organizational systems.
Configuration ManagementCM.2.066Analyze the security impact of changes prior to implementation.
Configuration ManagementCM.3.067Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
Configuration ManagementCM.3.068Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Configuration ManagementCM.3.069Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Configuration ManagementCM.4.073Employ application whitelisting and an application vetting process for systems identified by the organization.
Configuration ManagementCM.5.074Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification or cryptographic signatures).
Identification and AuthenticationIA.1.076Identify information system users, processes acting on behalf of users, or devices.
Identification and AuthenticationIA.1.077Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Identification and AuthenticationIA.2.078Enforce a minimum password complexity and change of characters when new passwords are created.
Identification and AuthenticationIA.2.079Prohibit password reuse for a specified number of generations.
Identification and AuthenticationIA.2.080Allow temporary password use for system logons with an immediate change to a permanent password.
Identification and AuthenticationIA.2.081Store and transmit only cryptographically protected passwords.
Identification and AuthenticationIA.2.082Obscure feedback of authentication information.
Identification and AuthenticationIA.3.083Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Identification and AuthenticationIA.3.084Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Identification and AuthenticationIA.3.085Prevent the reuse of identifiers for a defined period.
Identification and AuthenticationIA.3.086Disable identifiers after a defined period of inactivity.
Incident ResponseIR.2.092Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Incident ResponseIR.2.093Detect and report events.
Incident ResponseIR.2.094Analyze and triage events to support event resolution and incident declaration.
Incident ResponseIR.2.096Develop and implement responses to declared incidents according to predefined procedures.
Incident ResponseIR.2.097Perform root cause analysis on incidents to determine underlying causes.
Incident ResponseIR.3.098Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Incident ResponseIR.3.099Test the organizational incident response capability.
Incident ResponseIR.4.100Use knowledge of attacker tactics, techniques and procedures in incident response planning and execution.
Incident ResponseIR.4.101Establish and maintain a Security Operations Center (SOC) capability that facilitates a 24/7 response capability.
Incident ResponseIR.5.102Use a combination of manual and automated, real-time response to anomalous activities that match incident patterns.
Incident ResponseIR.5.106In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
Incident ResponseIR.5.108Establish and maintain a Cyber Incident Response Team (CIRT) that can investigate an issue physically or virtually at any location within 24 hours.
Incident ResponseIR.5.110Perform unannounced operational exercises to demonstrate technical and procedural responses.
MaintenanceMA.2.111Perform maintenance on organizational systems
MaintenanceMA.2.112Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
MaintenanceMA.2.113Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
MaintenanceMA.2.114Supervise the maintenance activities of personnel without required access authorization.
MaintenanceMA.3.115Ensure equipment removed for off-site maintenance is sanitized of any “Controlled Unclassified Information” (CUI).
MaintenanceMA.3.116Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Media ProtectionMP.1.118Sanitize or destroy information system media containing Federal Contract Information or controlled unclassified information before disposal or release for reuse.
Media ProtectionMP.2.119Protect (i.e., physically control and securely store) system media containing Federal Contract Information, both paper and digital.
Media ProtectionMP.2.120Limit access to “Controlled Unclassified Information” (CUI) on system media to authorized users.
Media ProtectionMP.2.121Control the use of removable media on system components.
Media ProtectionMP.3.122Mark media with necessary “Controlled Unclassified Information” (CUI) markings and distribution limitations.
Media ProtectionMP.3.123Prohibit the use of portable storage devices when such devices have no identifiable owner.
Media ProtectionMP.3.124Control access to media containing “Controlled Unclassified Information” (CUI) and maintain accountability for media during transport outside of controlled areas.
Media ProtectionMP.3.125Implement cryptographic mechanisms to protect the confidentiality of “Controlled Unclassified Information” (CUI) stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Personnel SecurityPS.2.127Screen individuals prior to authorizing access to organizational systems containing Federal Contract Information.
Personnel SecurityPS.2.128Ensure that organizational systems containing Federal Contract Information are protected during and after personnel actions such as terminations and transfers.
Physical ProtectionPE.1.131Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Physical ProtectionPE.1.132