Compliance Reference

CMMC 2.0 / NIST SP 800-171 Security Control Practices

All 110 CMMC 2.0 and mapped NIST SP 800-171 security control practices organized by domain. Includes implementation guidance and evidence examples for internal security assessments.

AC Access Control 22

AC.L1-3.1.1 Account Management L1 AC.L1-3.1.2 Access Enforcement L1 AC.L2-3.1.3 Information Flow Enforcement L2 AC.L2-3.1.4 Separation of Duties L2 AC.L2-3.1.5 Least Privilege L2 AC.L2-3.1.6 Least Privilege – Privileged Accounts L2 AC.L2-3.1.7 Least Privilege – Privileged Functions L2 AC.L2-3.1.8 Unsuccessful Logon Attempts L2 AC.L2-3.1.9 System Use Notification L2 AC.L2-3.1.10 Device Lock L2 AC.L2-3.1.11 Session Termination L2 AC.L2-3.1.12 Remote Access L2 AC.L2-3.1.13 Employ Cryptographic Mechanisms to Protect the Confidentiality of Remote Access Sessions L2 AC.L2-3.1.14 Route Remote Access via Managed Access Control Points L2 AC.L2-3.1.15 Authorize Remote Execution of Privileged Commands and Remote Access to Security-Relevant Information L2 AC.L2-3.1.16 Wireless Access L2 AC.L2-3.1.17 Protect Wireless Access Using Authentication and Encryption L2 AC.L2-3.1.18 Access Control for Mobile Devices L2 AC.L2-3.1.19 Encrypt CUI on Mobile Devices and Mobile Computing Platforms L2 AC.L1-3.1.20 Use of External Systems L1 AC.L2-3.1.21 Limit Use of Portable Storage Devices on External Systems L2 AC.L1-3.1.22 Publicly Accessible Content L1

AT Awareness & Training 3

AT.L2-3.2.1 Literacy Training and Awareness L2 AT.L2-3.2.2 Role-Based Training L2 AT.L2-3.2.3 Provide Security Awareness Training on Recognizing and Reporting Potential Indicators of Insider Threat L2

AU Audit & Accountability 9

AU.L2-3.3.1 Event Logging L2 AU.L2-3.3.2 Audit Record Content L2 AU.L2-3.3.3 Audit Record Generation L2 AU.L2-3.3.4 Response to Audit Logging Process Failures L2 AU.L1-3.3.5 Audit Record Review, Analysis, and Reporting L1 AU.L2-3.3.6 Audit Record Reduction and Report Generation L2 AU.L2-3.3.7 Time Stamps L2 AU.L2-3.3.8 Protection of Audit Information L2 AU.L2-3.3.9 Provide a System Capability That Compares and Synchronizes Internal System Clocks L2

CM Configuration Management 9

CM.L1-3.4.1 Baseline Configuration L1 CM.L1-3.4.2 Configuration Settings L1 CM.L2-3.4.3 Configuration Change Control L2 CM.L2-3.4.4 Impact Analyses L2 CM.L2-3.4.5 Access Restrictions for Change L2 CM.L2-3.4.6 Least Functionality L2 CM.L2-3.4.7 Restrict, Disable, or Prevent the Use of Nonessential Programs, Functions, Ports, Protocols, and Services L2 CM.L2-3.4.8 Authorized Software – Allow by Exception L2 CM.L2-3.4.9 Control and Monitor User-Installed Software L2

IA Identification & Authentication 11

IA.L1-3.5.1 User Identification and Authentication L1 IA.L1-3.5.2 Device Identification and Authentication L1 IA.L2-3.5.3 Multi-Factor Authentication L2 IA.L2-3.5.4 Replay-Resistant Authentication L2 IA.L2-3.5.5 Identifier Management L2 IA.L2-3.5.6 Disable Identifier After a Defined Period of Inactivity L2 IA.L1-3.5.7 Password Management L1 IA.L2-3.5.8 Implement Replay-Resistant Authentication Mechanisms for Network Access to Non-Privileged Accounts L2 IA.L2-3.5.9 Allow Temporary Password Use for System Logons with an Immediate Change to a Permanent Password L2 IA.L2-3.5.10 Store and Transmit Only Cryptographically-Protected Passwords L2 IA.L2-3.5.11 Authentication Feedback L2

IR Incident Response 3

IR.L2-3.6.1 Incident Handling L2 IR.L2-3.6.2 Incident Monitoring, Reporting, and Response Assistance L2 IR.L2-3.6.3 Incident Response Testing L2

MA Maintenance 6

MA.L2-3.7.1 Perform Maintenance on Organizational Systems L2 MA.L2-3.7.2 Provide Controls on the Tools, Techniques, Mechanisms, and Personnel Used to Conduct System Maintenance L2 MA.L2-3.7.3 Ensure Equipment Removed for Off-Site Maintenance Is Sanitized of Any CUI L2 MA.L2-3.7.4 Maintenance Tools L2 MA.L2-3.7.5 Nonlocal Maintenance L2 MA.L2-3.7.6 Maintenance Personnel L2

MP Media Protection 9

MP.L2-3.8.1 Media Storage L2 MP.L2-3.8.2 Media Access L2 MP.L1-3.8.3 Media Sanitization L1 MP.L2-3.8.4 Media Marking L2 MP.L2-3.8.5 Media Transport L2 MP.L2-3.8.6 Implement Cryptographic Mechanisms to Protect the Confidentiality of CUI Stored on Digital Media During Transport L2 MP.L2-3.8.7 Media Use L2 MP.L2-3.8.8 Prohibit the Use of Portable Storage Devices When Such Devices Have No Identifiable Owner L2 MP.L2-3.8.9 System Backup – Cryptographic Protection L2

PS Personnel Security 2

PS.L2-3.9.1 Personnel Screening L2 PS.L2-3.9.2 Personnel Termination and Transfer L2

PE Physical Protection 6

PE.L1-3.10.1 Physical Access Authorizations L1 PE.L2-3.10.2 Monitoring Physical Access L2 PE.L1-3.10.3 Escort Visitors and Monitor Visitor Activity L1 PE.L1-3.10.4 Maintain Audit Logs of Physical Access L1 PE.L1-3.10.5 Control and Manage Physical Access Devices L1 PE.L2-3.10.6 Alternate Work Site L2

RA Risk Assessment 3

RA.L2-3.11.1 Risk Assessment L2 RA.L2-3.11.2 Vulnerability Monitoring and Scanning L2 RA.L2-3.11.3 Remediate Vulnerabilities in Accordance with Risk Assessments L2

CA Security Assessment 4

CA.L2-3.12.1 Security Assessment L2 CA.L2-3.12.2 Plan of Action and Milestones L2 CA.L2-3.12.3 Continuous Monitoring L2 CA.L2-3.12.4 Develop, Document, and Periodically Update System Security Plans L2

SC System & Communications Protection 16

SC.L1-3.13.1 Boundary Protection L1 SC.L2-3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security L2 SC.L2-3.13.3 Separate User Functionality from System Management Functionality L2 SC.L2-3.13.4 Information in Shared System Resources L2 SC.L2-3.13.5 Implement Subnetworks for Publicly Accessible System Components That Are Physically or Logically Separated from Internal Networks L2 SC.L2-3.13.6 Network Communications – Deny by Default – Allow by Exception L2 SC.L2-3.13.7 Prevent Remote Devices from Simultaneously Establishing Non-Remote Connections with Organizational Systems and Communicating via Some Other Connection to Resources in External Networks (Split Tunneling) L2 SC.L2-3.13.8 Transmission and Storage Confidentiality L2 SC.L2-3.13.9 Network Disconnect L2 SC.L2-3.13.10 Cryptographic Key Establishment and Management L2 SC.L2-3.13.11 Cryptographic Protection L2 SC.L2-3.13.12 Collaborative Computing Devices and Applications L2 SC.L2-3.13.13 Mobile Code L2 SC.L2-3.13.14 Control and Monitor the Use of Voice over Internet Protocol (VoIP) Technologies L2 SC.L2-3.13.15 Session Authenticity L2 SC.L2-3.13.16 Protect the Confidentiality of CUI at Rest L2

SI System & Information Integrity 7

SI.L1-3.14.1 Flaw Remediation L1 SI.L2-3.14.2 Malicious Code Protection L2 SI.L2-3.14.3 Security Alerts, Advisories, and Directives L2 SI.L2-3.14.4 Update Malicious Code Protection Mechanisms When New Releases Are Available L2 SI.L2-3.14.5 Perform Periodic Scans of Organizational Systems and Real-Time Scans of Files from External Sources L2 SI.L2-3.14.6 System Monitoring L2 SI.L2-3.14.7 Identify Unauthorized Use of Organizational Systems L2