Unlock the full potential of your projects.
Show full map

CMMC v2.0 - Access Control

Other
Tara Lemieux

Controls mapping and traceability diagram. Created by Tara Lemieux and Michael Redman, Schellman Compliance.

Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
CMMC v2.0 - Access Control by Mind Map: CMMC v2.0 - Access Control

1. AC.L2-3.1.8 Limit Unsuccessful Logon Attempts

1.1. "Determine if:

1.2. (a) the means of limiting unsuccessful logon attempts is defined"

1.3. (b) the defined means of limiting unsuccessful logon attempts is implemented

2. AC.L2-3.1.9 Provide privacy and security notices consistent with applicable CUI rules.

2.1. "Determine if:

2.2. (a) privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category"

2.3. (b) Privacy and security notices are displayed.

3. AC.L2-3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

3.1. "Determine if:

3.2. (a) the period of inactivity after which the system initiates a session lock is defined"

3.3. (b) access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity

3.4. (c) previously visible information is concealed via a pattern-hiding display after the defined period of inactivity

4. AC 3.1.20 "Verify and control/limit connections to and use of external information system

4.1. "Determine if:

4.2. (a) connections to external systems are identified"

4.3. (b) the use of external systems is identified

4.4. (c) connections to external systems are verified

4.5. (d) the use of external systems is verified

4.6. (e) connections to external systems are controlled/limited

4.7. (f) the use of external systems is controlled/limited

5. AC.L1-3.1.22 Control information posted or processed on publicly accessible information systems.

5.1. "Determine if:

5.2. (a) individuals authorized to post or process information on publicly accessible systems are identified"

5.3. (b) procedures to ensure FCI is not posted or processed on publicly accessible systems are identified"

5.4. (c) a review process is in place prior to posting of any content to publicly accessible systems

5.5. (d) content on publicly accessible systems is reviewed to ensure that it does not include FCI

5.6. (e) mechanisms are in place to remove and address improper posting of FCI

6. AC.L2-3.1.14 Route remote access via managed access control points.

6.1. "Determine if:

6.1.1. MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions

6.1.2. IA.L2-3.5.3 (requires multifactor authentication for network access to non-privileged accounts

6.2. (a) managed access control points are identified and implemented"

6.3. (b) remote access is routed through managed network access control points

7. AC.L2-3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information. See also, IA.L2-3.5.3 (requires multifactor authentication for network access to non-privileged accounts) and MA.L2-3.7.5 (requires the addition of multifactor authentication for remote maintenance sessions).

7.1. "Determine if:

7.2. (a) privileged commands authorized for remote execution are identified"

7.3. (b) security-relevant information authorized to be accessed remotely is identified

7.4. (c) the execution of the identified privileged commands via remote access is authorized

8. AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

8.1. "Determine if:

8.2. (a) privileged functions are defined"

8.3. (b) non-privileged users are defined

8.4. (c) non-privileged users are prevented from executing privileged functions

8.5. d) the execution of privileged functions is captured in audit logs

9. AC.L2-3.1.12 Monitor and control remote access sessions. See also IA.L2-3.5.3 and MA.L2-3.7.5

9.1. "Determine if:

9.2. (a) remote access sessions are permitted"

9.3. (b) the types of permitted remote access are identified"

9.4. (c) remote access sessions are controlled"

9.5. (d) remote access sessions are monitored"

10. AC.L2-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

10.1. "Determine if:

10.2. (a) cryptographic mechanisms to protect the confidentiality of remote access sessions are identified"

10.3. (b) cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented"

11. AC.L2-3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.

11.1. "Determine if:

11.2. (a) nonsecurity functions are identified"

11.3. (b) users are required to use non-privileged accounts or roles when accessing nonsecurity functions

12. AC.L2-3.1.18 Control connection of mobile devices.

12.1. "Determine if:

12.2. (a) mobile devices that process, store, or transmit CUI are identified"

12.3. (b) mobile device connections are authorized

12.4. (c) mobile device connections are monitored and logged

13. AC.L2-3.1.17 Protect wireless access using authentication and encryption.

13.1. "Determine if:

13.2. (a) wireless access to the system is protected using authentication"

13.3. (b) wireless access to the system is protected using encryption"

14. AC.L2-3.1.16 Authorize wireless access prior to allowing such connections.

14.1. "Determine if:

14.2. (a) wireless access points are identified"

14.3. (b) wireless access is authorized prior to allowing such connections"

15. AC.L1-3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

15.1. Determine if:

15.2. (a) authorized users are identified

15.3. (b) processes acting on behalf of authorized users are identified"

15.4. (c) devices (and other systems) authorized to connect to the system are identified"

15.5. (d) system access is limited to authorized users"

15.6. (e) system access is limited to processes acting on behalf of authorized users"

15.7. (f) system access is limited to authorized devices (including other systems)"

16. AC.L2-3.1.11 Terminate (automatically) a user session after a defined condition.

16.1. "Determine if:

16.2. (a) conditions requiring a user session to terminate are defined"

16.3. (b) a user session is automatically terminated after any of the defined conditions occur"

17. AC.L2-3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

17.1. "Determine if:

17.2. (a) the duties of individuals requiring separation are defined"

17.3. (b) responsibilities for duties that require separation are assigned to separate individuals

17.4. (c) access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals

18. AC.L2-3.1.19 Encrypt CUI on mobile devices and mobile computing platforms. NOTE: This practice, AC.L2-3.1.19, requires that CUI be encrypted on mobile devices and extends three other CUI protection practices (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2-3.13.16)

18.1. "Determine if:

18.2. (a) mobile devices and mobile computing platforms that process, store, or transmit CUI are identified"

18.3. (b) encryption is employed to protect CUI on identified mobile devices and mobile computing platforms

19. AC.L2-3.1.21 Limit use of portable storage devices on external systems.

19.1. "Determine if:

19.2. (a) the use of portable storage devices containing CUI on external systems is identified and documented"

19.3. (b) limits on the use of portable storage devices containing CUI on external systems are defined

19.4. (c) the use of portable storage devices containing CUI on external systems is limited as defined

20. AC.L1-3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

20.1. "Determine if:

20.2. (a) the types of transactions and functions that authorized users are permitted to execute are defined"

20.3. (b) system access is limited to the defined types of transactions and functions for authorized users"

21. AC.L2-3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.

21.1. "Determine if:

21.2. (a) privileged accounts are identified"

21.3. (b) access to privileged accounts is authorized in accordance with the principle of least privilege

21.4. (c) security functions are identified

21.5. (d) access to security functions is authorized in accordance with the principle of least privilege"

22. AC.L2-3.1.3 Control the flow of CUI in accordance with approved authorizations.

22.1. "Determine if:

22.2. (a) information flow control policies are defined"

22.3. (b) methods and enforcement mechanisms for controlling the flow of CUI are defined"

22.4. c) designated sources and destinations (eg, networks, individuals, and devices) for CUI within the system and between interconnected systems are identified"

22.5. (d) authorizations for controlling the flow of CUI are defined"

22.6. (e) approved authorizations for controlling the flow of CUI are enforced