Unlock the full potential of your projects.
Show full map

CMMC v2.0 - Security and Communications Protection

Other
Tara Lemieux

Controls mapping and traceability diagram. Created by Tara Lemieux and Michael Redman, Schellman Compliance.

Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
CMMC v2.0 - Security and Communications Protection by Mind Map: CMMC v2.0 - Security and Communications Protection

1. SC.L2-3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

1.1. "Determine if:

1.2. (a) network communications traffic is denied by default"

1.3. (b) network communications traffic is allowed by exception"

2. SC.L2-3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

2.1. "Determine if:

2.2. (a) remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling)"

3. SC.L2-3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

3.1. "Determine if:

3.2. (a) cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified"

3.3. (b) alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified"

3.4. (c) either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission"

4. SC.L2-3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

4.1. "Determine if:

4.1.1. AC.L2-3.1.18: This practice (SC.L2-3.13.9) requires network connections be terminated after certain conditions complimenting AC.L2-3.1.18 which requires control of mobile connections.

4.2. (a) a period of inactivity to terminate network connections associated with communications sessions is defined"

4.3. (b) network connections associated with communications sessions are terminated at the end of the sessions"

4.4. (c) network connections associated with communications sessions are terminated after the defined period of inactivity"

5. SC.L2-3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems.

5.1. "Determine if:

5.1.1. AC.L2-3.1.19 Ciompliments AC.L2-3.1.19 by specifying that any cryptographic keys in use must be protected

5.2. (a) cryptographic keys are established whenever cryptography is employed"

5.3. (b) cryptographic keys are managed whenever cryptography is employed"

6. SC.L2-3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

6.1. "Determine if:

6.2. (a) collaborative computing devices are identified"

6.3. (b) collaborative computing devices provide indication to users of devices in use"

6.4. (c) remote activation of collaborative computing devices is prohibited"

7. SC.L2-3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

7.1. "Determine if:

7.2. (a) use of Voice over Internet Protocol (VoIP) technologies is controlled"

7.3. (b) use of Voice over Internet Protocol (VoIP) technologies is monitored"

8. SC.L2-3.13.16 Protect the confidentiality of CUI at rest.

8.1. "Determine if:

8.1.1. This practice, SC.L2-3.13.16, requires confidentially be provided for CUI at rest and complements MP.L2-3.8.9, which requires confidentially of CUI at backup storage locations.

8.2. (a) the confidentiality of CUI at rest is protected"

9. SC.L1-3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

9.1. "Determine if:

9.2. (a) the external system boundary is defined"

9.3. (b) key internal system boundaries are defined"

9.4. (c) communications are monitored at the external system boundary"

9.5. (d) communications are monitored at key internal boundaries"

9.6. (e) communications are controlled at the external system boundary"

9.7. (f) communications are controlled at key internal boundaries"

9.8. (g) communications are protected at the external system boundary"

9.9. (h) communications are protected at key internal boundaries"

10. SC.L2-3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

10.1. "Determine if:

10.2. (a) architectural designs that promote effective information security are identified"

10.3. (b) software development techniques that promote effective information security are identified"

10.4. (c) systems engineering principles that promote effective information security are identified"

10.5. (d) identified architectural designs that promote effective information security are employed"

10.6. (e) identified software development techniques that promote effective information security are employed"

10.7. (f) identified systems engineering principles that promote effective information security are employed"

11. SC.L2-3.13.3 Separate user functionality from system management functionality

11.1. "Determine if:

11.2. (a) user functionality is identified"

11.3. (b) system management functionality is identified"

11.4. (c) user functionality is separated from system management functionality"

12. SC.L2-3.13.4 Prevent unauthorized and unintended information transfer via shared system resources

12.1. "Determine if:

12.2. (a) unauthorized and unintended information transfer via shared system resources is prevented"

13. SC.L1-3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

13.1. "Determine if:

13.2. (a) publicly accessible system components are identified"

13.3. (b) subnetworks for publicly accessible system components are physically or logically separated from internal networks"

14. SC.L2-3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

14.1. "Determine if:

14.1.1. Compliments: MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16 by specifying that FIPS-validated cryptography must be used.

14.2. (a) FIPS-validated cryptography is employed to protect the confidentiality of CUI"

15. SC.L2-3.13.13 Control and monitor the use of mobile code.

15.1. "Determine if:

15.2. (a) use of mobile code is controlled"

15.3. (b) use of mobile code is monitored"

16. SC.L2-3.13.15 Protect the authenticity of communications sessions.

16.1. "Determine if:

16.2. (a) the authenticity of communications sessions is protected"

17. SC.L2-3.13.17 Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

17.1. "Determine if:

17.2. (a) the organization has a security policy which restricts publishing CUI to any externally owned, publicly accessible information system"

17.3. (b) the organization designates individuals authorized to post organization information onto any externally owned, publicly accessible information systems"

17.4. (c) the organization trains authorized individuals to ensure that publicly accessible organization information does not contain CUI"

17.5. (d) the organization conducts reviews to ensure CUI is not included in proposed content to be posted by the organization on a publicly accessible information system under its control"

17.6. (e) the organization removes CUI, if discovered, from any publicly accessible information system under its control"