| Domain | Section | CMMC Practice Requirement: |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
| Access Control | AC.1.003 | Verify and control/limit connections to and use of external information systems. |
| Access Control | AC.1.004 | Control information posted or processed on publicly accessible information systems. |
| Access Control | AC.2.005 | Provide privacy and security notices consistent with applicable “Controlled Unclassified Information” (CUI) rules. |
| Access Control | AC.2.006 | Limit use of portable storage devices on external systems. |
| Access Control | AC.2.007 | Employ the principle of least privilege, including for specific security functions and privileged accounts. |
| Access Control | AC.2.008 | Use non-privileged accounts or roles when accessing nonsecurity functions. |
| Access Control | AC.2.009 | Limit unsuccessful logon attempts. |
| Access Control | AC.2.010 | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. |
| Access Control | AC.2.011 | Authorize wireless access prior to allowing such connections. |
| Access Control | AC.3.012 | Protect wireless access using authentication and encryption. |
| Access Control | AC.2.013 | Monitor and control remote access sessions. |
| Access Control | AC.3.014 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
| Access Control | AC.2.015 | Route remote access via managed access control points. |
| Access Control | AC.2.016 | Control the flow of Federal Contract Information in accordance with approved authorizations. |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
| Access Control | AC.3.018 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
| Access Control | AC.3.019 | Terminate (automatically) user sessions after a defined condition. |
| Access Control | AC.3.020 | Control connection of mobile devices. |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security relevant information. |
| Access Control | AC.3.022 | Encrypt CUI on mobile devices and mobile computing platforms. |
| Access Control | AC.4.023 | Control information flows between security domains on connected systems. |
| Access Control | AC.4.025 | Periodically review and update CUI program access permissions. |
| Access Control | AC.4.032 | Restrict remote network access based on organizational defined risk factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role. |
| Access Control | AC.5.024 | Identify and mitigate risk associated with unidentified wireless access points connected to the network. |
| Asset Management | AM.3.036 | Define procedures for the handling of “Controlled Unclassified Information” (CUI) data. |
| Asset Management | AM.4.226 | Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory. |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
| Audit and Accountability | AU.2.043 | Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. |
| Audit and Accountability | AU.2.044 | Review audit logs. |
| Audit and Accountability | AU.3.045 | Review and update logged events. |
| Audit and Accountability | AU.3.046 | Alert in the event of an audit logging process failure. |
| Audit and Accountability | AU.3.048 | Collect audit logs into one or more central repositories. |
| Audit and Accountability | AU.3.049 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
| Audit and Accountability | AU.3.050 | Limit management of audit logging functionality to a subset of privileged users. |
| Audit and Accountability | AU.3.051 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. |
| Audit and Accountability | AU.3.052 | Provide audit record reduction and report generation to support on-demand analysis and reporting. |
| Audit & Accountability | AU.4.053 | Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally-defined suspicious activity. |
| Audit & Accountability | AU.4.054 | Review audit information for broad activity in addition to per-machine activity. |
| Audit & Accountability | AU.5.055 | Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging. |
| Awareness and Training | AT.2.056 | Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. |
| Awareness and Training | AT.2.057 | Ensure that personnel are trained to carry out their assigned information security related duties and responsibilities. |
| Awareness & Training | AT.3.058 | Provide security awareness training on recognizing and reporting potential indicators of insider threat. |
| Awareness & Training | AT.4.059 | Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. |
| Awareness & Training | AT.4.060 | Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training. |
| Awareness and Training | AT.3.058 | Provide security awareness training on recognizing and reporting potential indicators of insider threat. |
| Configuration Management | CM.2.061 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
| Configuration Management | CM.2.062 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
| Configuration Management | CM.2.063 | Control and monitor user-installed software. |
| Configuration Management | CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems |
| Configuration Management | CM.2.065 | Track, review, approve, or disapprove, and log changes to organizational systems. |
| Configuration Management | CM.2.066 | Analyze the security impact of changes prior to implementation. |
| Configuration Management | CM.3.067 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
| Configuration Management | CM.3.069 | Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
| Configuration Management | CM.4.073 | Employ application whitelisting and an application vetting process for systems identified by the organization. |
| Configuration Management | CM.5.074 | Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification or cryptographic signatures). |
| Identification and Authentication | IA.1.076 | Identify information system users, processes acting on behalf of users, or devices. |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. |
| Identification and Authentication | IA.2.080 | Allow temporary password use for system logons with an immediate change to a permanent password. |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically protected passwords. |
| Identification and Authentication | IA.2.082 | Obscure feedback of authentication information. |
| Identification and Authentication | IA.3.083 | Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
| Identification and Authentication | IA.3.085 | Prevent the reuse of identifiers for a defined period. |
| Identification and Authentication | IA.3.086 | Disable identifiers after a defined period of inactivity. |
| Incident Response | IR.2.092 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. |
| Incident Response | IR.2.093 | Detect and report events. |
| Incident Response | IR.2.094 | Analyze and triage events to support event resolution and incident declaration. |
| Incident Response | IR.2.096 | Develop and implement responses to declared incidents according to predefined procedures. |
| Incident Response | IR.2.097 | Perform root cause analysis on incidents to determine underlying causes. |
| Incident Response | IR.3.098 | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. |
| Incident Response | IR.3.099 | Test the organizational incident response capability. |
| Incident Response | IR.4.100 | Use knowledge of attacker tactics, techniques and procedures in incident response planning and execution. |
| Incident Response | IR.4.101 | Establish and maintain a Security Operations Center (SOC) capability that facilitates a 24/7 response capability. |
| Incident Response | IR.5.102 | Use a combination of manual and automated, real-time response to anomalous activities that match incident patterns. |
| Incident Response | IR.5.106 | In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data. |
| Incident Response | IR.5.108 | Establish and maintain a Cyber Incident Response Team (CIRT) that can investigate an issue physically or virtually at any location within 24 hours. |
| Incident Response | IR.5.110 | Perform unannounced operational exercises to demonstrate technical and procedural responses. |
| Maintenance | MA.2.111 | Perform maintenance on organizational systems |
| Maintenance | MA.2.112 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. |
| Maintenance | MA.2.113 | Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
| Maintenance | MA.2.114 | Supervise the maintenance activities of personnel without required access authorization. |
| Maintenance | MA.3.115 | Ensure equipment removed for off-site maintenance is sanitized of any “Controlled Unclassified Information” (CUI). |
| Maintenance | MA.3.116 | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. |
| Media Protection | MP.1.118 | Sanitize or destroy information system media containing Federal Contract Information or controlled unclassified information before disposal or release for reuse. |
| Media Protection | MP.2.119 | Protect (i.e., physically control and securely store) system media containing Federal Contract Information, both paper and digital. |
| Media Protection | MP.2.120 | Limit access to “Controlled Unclassified Information” (CUI) on system media to authorized users. |
| Media Protection | MP.2.121 | Control the use of removable media on system components. |
| Media Protection | MP.3.122 | Mark media with necessary “Controlled Unclassified Information” (CUI) markings and distribution limitations. |
| Media Protection | MP.3.123 | Prohibit the use of portable storage devices when such devices have no identifiable owner. |
| Media Protection | MP.3.124 | Control access to media containing “Controlled Unclassified Information” (CUI) and maintain accountability for media during transport outside of controlled areas. |
| Media Protection | MP.3.125 | Implement cryptographic mechanisms to protect the confidentiality of “Controlled Unclassified Information” (CUI) stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
| Personnel Security | PS.2.127 | Screen individuals prior to authorizing access to organizational systems containing Federal Contract Information. |
| Personnel Security | PS.2.128 | Ensure that organizational systems containing Federal Contract Information are protected during and after personnel actions such as terminations and transfers. |
| Physical Protection | PE.1.131 | Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
| Physical Protection | PE.1.132 | |
