Under active development — Content is continuously updated and improved

Home / Frameworks / CMMC

CMMC v2.0

Cybersecurity Maturity Model Certification for DoD contractors

This is a reference tool, not an authoritative source. For official documentation, visit dodcio.defense.gov.

110 All

AT — Awareness and Training (3 practices)

AT.L2-3.2.1Role-Based Risk Awareness

AT.L2-3.2.2Role-Based Training

AT.L2-3.2.3Insider Threat Awareness

AU — Audit and Accountability (9 practices)

AU.L2-3.3.1System Auditing

AU.L2-3.3.2User Accountability

AU.L2-3.3.3Event Review

AU.L2-3.3.4Audit Failure Alerting

AU.L2-3.3.5Audit Correlation

AU.L2-3.3.6Reduction & Reporting

AU.L2-3.3.7Authoritative Time Source

AU.L2-3.3.8Audit Protection

AU.L2-3.3.9Audit Management

CA — Security Assessment (4 practices)

CA.L2-3.12.1Security Control Assessment

CA.L2-3.12.2Plan of Action

CA.L2-3.12.3Security Control Monitoring

CA.L2-3.12.4System Security Plan

CM — Configuration Management (9 practices)

CM.L2-3.4.1System Baselining

CM.L2-3.4.2Security Configuration Enforcement

CM.L2-3.4.3System Change Management

CM.L2-3.4.4Security Impact Analysis

CM.L2-3.4.5Access Restrictions for Change

CM.L2-3.4.6Least Functionality

CM.L2-3.4.7Nonessential Functionality

CM.L2-3.4.8Application Execution Policy

CM.L2-3.4.9User-Installed Software

IA — Identification and Authentication (11 practices)

IA.L1-3.5.1Identification

IA.L1-3.5.2Authentication

IA.L2-3.5.10Cryptographically-Protected Passwords

IA.L2-3.5.11Obscure Feedback

IA.L2-3.5.3Multifactor Authentication

IA.L2-3.5.4Replay-Resistant Authentication

IA.L2-3.5.5Identifier Reuse

IA.L2-3.5.6Identifier Handling

IA.L2-3.5.7Password Complexity

IA.L2-3.5.8Password Reuse

IA.L2-3.5.9Temporary Passwords

IR — Incident Response (3 practices)

IR.L2-3.6.1Incident Handling

IR.L2-3.6.2Incident Reporting

IR.L2-3.6.3Incident Response Testing

MA — Maintenance (6 practices)

MA.L2-3.7.1Perform Maintenance

MA.L2-3.7.2System Maintenance Control

MA.L2-3.7.3Equipment Sanitization

MA.L2-3.7.4Media Inspection

MA.L2-3.7.5Nonlocal Maintenance

MA.L2-3.7.6Maintenance Personnel

MP — Media Protection (9 practices)

MP.L1-3.8.3Media Disposal

MP.L2-3.8.1Media Protection

MP.L2-3.8.2Media Access

MP.L2-3.8.4Media Markings

MP.L2-3.8.5Media Accountability

MP.L2-3.8.6Portable Storage Encryption

MP.L2-3.8.7Removable Media

MP.L2-3.8.8Shared Media

MP.L2-3.8.9Protect Backups

PE — Physical Protection (6 practices)

PE.L1-3.10.1Limit Physical Access

PE.L1-3.10.3Escort Visitors

PE.L1-3.10.4Physical Access Logs

PE.L1-3.10.5Manage Physical Access

PE.L2-3.10.2Monitor Facility

PE.L2-3.10.6Alternative Work Sites

PS — Personnel Security (2 practices)

PS.L2-3.9.1Screen Individuals

PS.L2-3.9.2Personnel Actions

RA — Risk Assessment (3 practices)

RA.L2-3.11.1Risk Assessments

RA.L2-3.11.2Vulnerability Scan

RA.L2-3.11.3Vulnerability Remediation

SC — System and Communications Protection (16 practices)

SC.L1-3.13.1Boundary Protection

SC.L1-3.13.5Public-Access System Separation

SC.L2-3.13.10Key Management

SC.L2-3.13.11CUI Encryption

SC.L2-3.13.12Collaborative Device Control

SC.L2-3.13.13Mobile Code

SC.L2-3.13.14Voice over Internet Protocol

SC.L2-3.13.15Communications Authenticity

SC.L2-3.13.16Data at Rest

SC.L2-3.13.2Security Engineering

SC.L2-3.13.3Role Separation

SC.L2-3.13.4Shared Resource Control

SC.L2-3.13.6Network Communication by Exception

SC.L2-3.13.7Split Tunneling

SC.L2-3.13.8Data in Transit

SC.L2-3.13.9Connections Termination

SI — System and Information Integrity (7 practices)

SI.L1-3.14.1Flaw Remediation

SI.L1-3.14.2Malicious Code Protection

SI.L1-3.14.4Update Malicious Code Protection

SI.L1-3.14.5System & File Scanning

SI.L2-3.14.3Security Alerts & Advisories

SI.L2-3.14.6Monitor Communications for Attacks

SI.L2-3.14.7Identify Unauthorized Use