Under active development — Content is continuously updated and improved

Home / Frameworks / CMMC 2.0 Level 1 AOS

CMMC 2.0 Level 1 AOS v2.0

Official SCF Download

CMMC Level 1 Assessment Objectives

Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.

SCF Official Site License Terms

59 All

AC — Access Control (19 objectives)

AC.L1-B.1.I[a]Authorized users are identified.

AC.L1-B.1.I[b]Processes acting on behalf of authorized users are identified.

AC.L1-B.1.I[c]Devices (and other systems) authorized to connect to the system are identified.

AC.L1-B.1.I[d]System access is limited to authorized users.

AC.L1-B.1.I[e]System access is limited to processes acting on behalf of authorized users.

AC.L1-B.1.I[f]System access is limited to authorized devices (including other systems).

AC.L1-B.1.II[a]The types of transactions and functions that authorized users are permitted to execute are defined.

AC.L1-B.1.II[b]System access is limited to the defined types of transactions and functions for authorized users.

AC.L1-B.1.III[a]Connections to external systems are identified.

AC.L1-B.1.III[b]The use of external systems is identified.

AC.L1-B.1.III[c]Connections to external systems are verified.

AC.L1-B.1.III[d]The use of external systems is verified.

AC.L1-B.1.III[e]Connections to external systems are controlled/limited.

AC.L1-B.1.III[f]The use of external systems is controlled/limited.

AC.L1-B.1.IV[a]Individuals authorized to post or process information on publicly accessible systems are identified.

AC.L1-B.1.IV[b]Procedures to ensure [FCI] is not posted or processed on publicly accessible systems are identified.

AC.L1-B.1.IV[c]A review process is in place prior to posting of any content to publicly accessible systems.

AC.L1-B.1.IV[d]Content on publicly accessible systems is reviewed to ensure that it does not include [FCI].

AC.L1-B.1.IV[e]Mechanisms are in place to remove and address improper posting of [FCI].

IA — Identification and Authentication (6 objectives)

IA.L1-B.1.V[a]System users are identified.

IA.L1-B.1.V[b]Processes acting on behalf of users are identified.

IA.L1-B.1.V[c]Devices accessing the system are identified.

IA.L1-B.1.VI[a]The identity of each user is authenticated or verified as a prerequisite to system access.

IA.L1-B.1.VI[b]The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.

IA.L1-B.1.VI[c]The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

MP — Media Protection (2 objectives)

MP.L1-B.1.VII[a]System media containing [FCI] is sanitized or destroyed before disposal.

MP.L1-B.1.VII[b]System media containing [FCI] is sanitized before it is released for reuse.

PE — Physical Protection (10 objectives)

PE.L1-B.1.VIII[a]Authorized individuals allowed physical access are identified.

PE.L1-B.1.VIII[b]Physical access to organizational systems is limited to authorized individuals.

PE.L1-B.1.VIII[c]Physical access to equipment is limited to authorized individuals.

PE.L1-B.1.VIII[d]Physical access to operating environments is limited to authorized individuals.

PE.L1-B.1.IX[a]Visitors are escorted.

PE.L1-B.1.IX[b]Visitor activity is monitored.

PE.L1-B.1.IX[c]Audit logs of physical access are maintained.

PE.L1-B.1.IX[d]Physical access devices are identified.

PE.L1-B.1.IX[e]Physical access devices are controlled.

PE.L1-B.1.IX[f]Physical access devices are managed.

SC — System and Communications Protection (10 objectives)

SC.L1-B.1.X[a]The external system boundary is defined.

SC.L1-B.1.X[b]Key internal system boundaries are defined.

SC.L1-B.1.X[c]Communications are monitored at the external system boundary.

SC.L1-B.1.X[d]Communications are monitored at key internal boundaries.

SC.L1-B.1.X[e]Communications are controlled at the external system boundary.

SC.L1-B.1.X[f]Communications are controlled at key internal boundaries.

SC.L1-B.1.X[g]Communications are protected at the external system boundary.

SC.L1-B.1.X[h]Communications are protected at key internal boundaries.

SC.L1-B.1.XI[a]Publicly accessible system components are identified.

SC.L1-B.1.XI[b]Subnetworks for publicly accessible system components are physically or logically separated from internal networks.

SI — System and Information Integrity (12 objectives)

SI.L1-B.1.XII[a]The time within which to identify system flaws is specified.

SI.L1-B.1.XII[b]System flaws are identified within the specified time frame.

SI.L1-B.1.XII[c]The time within which to report system flaws is specified.

SI.L1-B.1.XII[d]System flaws are reported within the specified time frame.

SI.L1-B.1.XII[e]The time within which to correct system flaws is specified.

SI.L1-B.1.XII[f]System flaws are corrected within the specified time frame.

SI.L1-B.1.XIII[a]Designated locations for malicious code protection are identified.

SI.L1-B.1.XIII[b]Protection from malicious code at designated locations is provided.

SI.L1-B.1.XIV[a]Malicious code protection mechanisms are updated when new releases are available.

SI.L1-B.1.XV[a]The frequency for malicious code scans is defined.

SI.L1-B.1.XV[b]Malicious code scans are performed with the defined frequency.

SI.L1-B.1.XV[c]Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.