Cybersecurity Maturity Model Certification (CMMC)

Controls of Cybersecurity Maturity Model Certification (CMMC) based on Microsoft Technical Reference Guide:

  • Limit information system access to authorized users, processes acting on …
  • Limit information system access to the types of transactions and functions …
  • Control the flow of CUI in accordance with approved authorizations.
  • Separate the duties of individuals to reduce the risk of malevolent activity …
  • Employ the principle of least privilege, including for specific security…
  • Use non-privileged accounts or roles when accessing non-security functions.
  • Prevent non-privileged users from executing privileged functions…
  • Limit unsuccessful logon attempts.
  • Use session lock with pattern-hiding displays to prevent access and viewing …
  • Terminate (automatically) user sessions after a defined condition.
  • Monitor and control remote access sessions.
  • Employ cryptographic mechanisms to protect the confidentiality of remote …
  • Route remote access via managed access control points.
  • Authorize remote execution of privileged commands and remote access…
  • Authorize wireless access prior to allowing such connections.
  • Protect wireless access using authentication and encryption.
  • Control connection of mobile devices.
  • Encrypt CUI on mobile devices and mobile computing platforms.
  • Verify and control/limit connections to and use of external information …
  • Limit use of portable storage devices on external systems.
  • Control information posted or processed on publicly accessibleinformation systems.
  • Create and retain system audit logs and records to the extent needed to …
  • Ensure that the actions of individual system users can be uniquely traced to …
  • Review and update logged events.
  • Alert in the event of an audit logging process failure.
  • Correlate audit record review, analysis and reporting processes for…
  • Provide audit record reduction and report generation to support …
  • Provide a system capability that compares and synchronizes internal system …
  • Protect audit information and audit logging tools from unauthorized access…
  • Limit management of audit logging functionality to a subset of privileged …
  • Ensure that managers, system administrators and users of organizational …
  • Ensure that personnel are trained to carry out their assigned information …
  • Provide security awareness training on recognizing and reporting potential …
  • Establish and maintain baseline configurations and inventories…
  • Establish and enforce security configuration settings for information …
  • Track, review, approve or disapprove and log changes to organizational …
  • Analyze the security impact of changes prior to implementation.
  • Define, document, approve and enforce physical and logical access …
  • Employ the principle of least functionality by configuring organizational …
  • Restrict, disable or prevent the use of nonessential programs, functions…
  • Apply deny-by-exception (blacklisting) policy to prevent the use of …
  • Control and monitor user-installed software.
  • Identify information system users, processes acting on behalf of users or …
  • Authenticate (or verify) the identities of those users, processes or devices, as …
  • Use multi-factor authentication for local and network access to privileged …
  • Employ replay-resistant authentication mechanisms for network access to…
  • Prevent the reuse of identifiers for a defined period.
  • Disable identifiers after a defined period of inactivity.
  • Enforce a minimum password complexity and change of characters when …
  • Prohibit password reuse for a specified number of generations.
  • Allowtemporary password usefor system logons with an immediate changeto a permanent password.
  • Store and transmit only cryptographically protected passwords.
  • Obscure feedback of authentication information.
  • Establish an operational incident-handling capability for organizational …
  • Track, document and report incidents to designated officials…
  • Test the organizational incident response capability.
  • Perform maintenance on organizational systems.
  • Provide controls on the tools, techniques, mechanisms and personnel used …
  • Ensure equipment removed for off-site maintenance is sanitized of any…
  • Check media containing diagnostic and test programs for malicious code …
  • Require multifactor authentication to establish nonlocal maintenance …
  • Supervise the maintenance activities of personnel without required access …
  • Protect (i.e., physically control and securely store) system media containing  …
  • Limit access to CUI on systemmedia to authorized users.
  • Sanitize or destroy information system media containing Federal Contract …
  • Mark media with necessary CUI markings and distribution limitations.
  • Control access to media containing CUI and maintain accountability for…
  • Implement cryptographic mechanisms to protect the confidentiality of…
  • Control the use of removable media on system components.
  • Prohibit the use of portable storage deviceswhen such devices have no …
  • Protect the confidentiality of backup CUI at storage locations.
  • Screen individuals prior to authorizing access to organizational systems …
  • Ensure that organizational systems containing CUI are protected during and …
  • Enforce safeguarding measures for CUI at alternate work sites.
  • Periodically assess the risk to organizational operations …
  • Scan for vulnerabilities in organizational systems and applications …
  • Remediate vulnerabilities in accordance with risk assessments.
  • Periodically assess the security controls in organizational systems to …
  • Develop and implement plans of action (e.g., POA&M) designed to correct …
  • Monitor security controls on an ongoing basis to ensure the continued …
  • Develop, document and periodically update System Security Plans (SSPs) …
  • Monitor, control and protect organizational communications…
  • Employ architectural designs, software development techniques and …
  • Separate user functionality from system management functionality.
  • Prevent unauthorized and unintended information transfer via shared …
  • Implement subnetworks for publicly accessible system components that are …
  • Deny network communications traffic by default and allow network …
  • Prevent remote devices from simultaneously establishing non-remote …
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of …
  • Terminate network connections associated withcommunications sessions atthe end of the sessions or after a defined period of inactivity.
  • Establish and manage cryptographic keys for cryptography employed in …
  • Employ FIPS-validated cryptography when used to protect the …
  • Prohibit remote activation of collaborative computing devices and provide …
  • Control and monitor the use of mobile code.
  • Control and monitor the use of Voice over Internet Protocol (VoIP) …
  • Protect the authenticity of communications sessions.
  • Protect the confidentiality of CUI at rest.
  • Identify, report and correct information and information system flaws in a…
  • Provide protection from malicious code at appropriate locations within…
  • Monitor system security alerts and advisories and take action in response.
  • Update malicious code protection mechanisms when new releases are…
  • Perform periodic scans of the information system and real-time scans of…
  • Monitor organizational systems, including inbound and outboun…
  • Identify unauthorized use of organizational systems.

 

More info:

https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-cmmc-acceleration-update-march-2022/ba-p/3258999?lightbox-message-images-3258999=360588i2B9322EAF7C33FA3

 

Document:

https://download.microsoft.com/download/c/a/6/ca67ab87-4832-476e-8f01-b1572c7a740c/Microsoft%20Technical%20Reference%20Guide%20for%20CMMC%20v2_(Public%20Preview)_20220304%20(2).pdf