Home / Frameworks / CMMC / Level 2

CMMC v2.0

Cybersecurity Maturity Model Certification for DoD contractors

110 All 17 Level 1 93 Level 2

Showing 93 practices in Level 2 (CUI)

Advanced - Protection of Controlled Unclassified Information (CUI)

AC — Access Control (18 practices)

AC.L2-3.1.10Session Lock

AC.L2-3.1.11Session Termination

AC.L2-3.1.12Control Remote Access

AC.L2-3.1.13Remote Access Confidentiality

AC.L2-3.1.14Remote Access Routing

AC.L2-3.1.15Privileged Remote Access

AC.L2-3.1.16Wireless Access Authorization

AC.L2-3.1.17Wireless Access Protection

AC.L2-3.1.18Mobile Device Connection

AC.L2-3.1.19Encrypt CUI on Mobile

AC.L2-3.1.21Portable Storage Use

AC.L2-3.1.3Control CUI Flow

AC.L2-3.1.4Separation of Duties

AC.L2-3.1.5Least Privilege

AC.L2-3.1.6Non-Privileged Account Use

AC.L2-3.1.7Privileged Functions

AC.L2-3.1.8Unsuccessful Logon Attempts

AC.L2-3.1.9Privacy & Security Notices

AT — Awareness and Training (3 practices)

AT.L2-3.2.1Role-Based Risk Awareness

AT.L2-3.2.2Role-Based Training

AT.L2-3.2.3Insider Threat Awareness

AU — Audit and Accountability (9 practices)

AU.L2-3.3.1System Auditing

AU.L2-3.3.2User Accountability

AU.L2-3.3.3Event Review

AU.L2-3.3.4Audit Failure Alerting

AU.L2-3.3.5Audit Correlation

AU.L2-3.3.6Reduction & Reporting

AU.L2-3.3.7Authoritative Time Source

AU.L2-3.3.8Audit Protection

AU.L2-3.3.9Audit Management

CA — Security Assessment (4 practices)

CA.L2-3.12.1Security Control Assessment

CA.L2-3.12.2Plan of Action

CA.L2-3.12.3Security Control Monitoring

CA.L2-3.12.4System Security Plan

CM — Configuration Management (9 practices)

CM.L2-3.4.1System Baselining

CM.L2-3.4.2Security Configuration Enforcement

CM.L2-3.4.3System Change Management

CM.L2-3.4.4Security Impact Analysis

CM.L2-3.4.5Access Restrictions for Change

CM.L2-3.4.6Least Functionality

CM.L2-3.4.7Nonessential Functionality

CM.L2-3.4.8Application Execution Policy

CM.L2-3.4.9User-Installed Software

IA — Identification and Authentication (9 practices)

IA.L2-3.5.10Cryptographically-Protected Passwords

IA.L2-3.5.11Obscure Feedback

IA.L2-3.5.3Multifactor Authentication

IA.L2-3.5.4Replay-Resistant Authentication

IA.L2-3.5.5Identifier Reuse

IA.L2-3.5.6Identifier Handling

IA.L2-3.5.7Password Complexity

IA.L2-3.5.8Password Reuse

IA.L2-3.5.9Temporary Passwords

IR — Incident Response (3 practices)

IR.L2-3.6.1Incident Handling

IR.L2-3.6.2Incident Reporting

IR.L2-3.6.3Incident Response Testing

MA — Maintenance (6 practices)

MA.L2-3.7.1Perform Maintenance

MA.L2-3.7.2System Maintenance Control

MA.L2-3.7.3Equipment Sanitization

MA.L2-3.7.4Media Inspection

MA.L2-3.7.5Nonlocal Maintenance

MA.L2-3.7.6Maintenance Personnel

MP — Media Protection (8 practices)

MP.L2-3.8.1Media Protection

MP.L2-3.8.2Media Access

MP.L2-3.8.4Media Markings

MP.L2-3.8.5Media Accountability

MP.L2-3.8.6Portable Storage Encryption

MP.L2-3.8.7Removable Media

MP.L2-3.8.8Shared Media

MP.L2-3.8.9Protect Backups

PE — Physical Protection (2 practices)

PE.L2-3.10.2Monitor Facility

PE.L2-3.10.6Alternative Work Sites

PS — Personnel Security (2 practices)

PS.L2-3.9.1Screen Individuals

PS.L2-3.9.2Personnel Actions

RA — Risk Assessment (3 practices)

RA.L2-3.11.1Risk Assessments

RA.L2-3.11.2Vulnerability Scan

RA.L2-3.11.3Vulnerability Remediation

SC — System and Communications Protection (14 practices)

SC.L2-3.13.10Key Management

SC.L2-3.13.11CUI Encryption

SC.L2-3.13.12Collaborative Device Control

SC.L2-3.13.13Mobile Code

SC.L2-3.13.14Voice over Internet Protocol

SC.L2-3.13.15Communications Authenticity

SC.L2-3.13.16Data at Rest

SC.L2-3.13.2Security Engineering

SC.L2-3.13.3Role Separation

SC.L2-3.13.4Shared Resource Control

SC.L2-3.13.6Network Communication by Exception

SC.L2-3.13.7Split Tunneling

SC.L2-3.13.8Data in Transit

SC.L2-3.13.9Connections Termination

SI — System and Information Integrity (3 practices)

SI.L2-3.14.3Security Alerts & Advisories

SI.L2-3.14.6Monitor Communications for Attacks

SI.L2-3.14.7Identify Unauthorized Use