CMMC Level 2 Checklist -- 110 Practices by Domain | By Petronella Technology Group
All 110 CMMC Level 2 (Advanced) practices organized by domain. Each practice maps directly to NIST SP 800-171 Rev 2.
Status Key: MET / NOT MET / PARTIAL / N/A
Access Control (AC) -- 22 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 1 |
AC.L2-3.1.1 |
3.1.1 |
Limit system access to authorized users, processes, and devices |
[ ] |
| 2 |
AC.L2-3.1.2 |
3.1.2 |
Limit system access to authorized transaction types and functions |
[ ] |
| 3 |
AC.L2-3.1.3 |
3.1.3 |
Control the flow of CUI in accordance with approved authorizations |
[ ] |
| 4 |
AC.L2-3.1.4 |
3.1.4 |
Separate duties of individuals to reduce risk of malicious activity |
[ ] |
| 5 |
AC.L2-3.1.5 |
3.1.5 |
Employ the principle of least privilege, including for specific security functions and privileged accounts |
[ ] |
| 6 |
AC.L2-3.1.6 |
3.1.6 |
Use non-privileged accounts when accessing non-security functions |
[ ] |
| 7 |
AC.L2-3.1.7 |
3.1.7 |
Prevent non-privileged users from executing privileged functions and capture the execution in audit logs |
[ ] |
| 8 |
AC.L2-3.1.8 |
3.1.8 |
Limit unsuccessful logon attempts |
[ ] |
| 9 |
AC.L2-3.1.9 |
3.1.9 |
Provide privacy and security notices consistent with applicable CUI rules |
[ ] |
| 10 |
AC.L2-3.1.10 |
3.1.10 |
Use session lock with pattern-hiding displays after inactivity |
[ ] |
| 11 |
AC.L2-3.1.11 |
3.1.11 |
Terminate (automatically) a user session after a defined condition |
[ ] |
| 12 |
AC.L2-3.1.12 |
3.1.12 |
Monitor and control remote access sessions |
[ ] |
| 13 |
AC.L2-3.1.13 |
3.1.13 |
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions |
[ ] |
| 14 |
AC.L2-3.1.14 |
3.1.14 |
Route remote access via managed access control points |
[ ] |
| 15 |
AC.L2-3.1.15 |
3.1.15 |
Authorize remote execution of privileged commands and remote access to security-relevant information |
[ ] |
| 16 |
AC.L2-3.1.16 |
3.1.16 |
Authorize wireless access prior to allowing such connections |
[ ] |
| 17 |
AC.L2-3.1.17 |
3.1.17 |
Protect wireless access using authentication and encryption |
[ ] |
| 18 |
AC.L2-3.1.18 |
3.1.18 |
Control connection of mobile devices |
[ ] |
| 19 |
AC.L2-3.1.19 |
3.1.19 |
Encrypt CUI on mobile devices and mobile computing platforms |
[ ] |
| 20 |
AC.L2-3.1.20 |
3.1.20 |
Verify and control/limit connections to and use of external systems |
[ ] |
| 21 |
AC.L2-3.1.21 |
3.1.21 |
Limit use of portable storage devices on external systems |
[ ] |
| 22 |
AC.L2-3.1.22 |
3.1.22 |
Control information posted or processed on publicly accessible systems |
[ ] |
Awareness and Training (AT) -- 3 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 23 |
AT.L2-3.2.1 |
3.2.1 |
Ensure that managers, systems administrators, and users are made aware of the security risks associated with their activities and of applicable policies, standards, and procedures |
[ ] |
| 24 |
AT.L2-3.2.2 |
3.2.2 |
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities |
[ ] |
| 25 |
AT.L2-3.2.3 |
3.2.3 |
Provide security awareness training on recognizing and reporting potential indicators of insider threat |
[ ] |
Audit and Accountability (AU) -- 9 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 26 |
AU.L2-3.3.1 |
3.3.1 |
Create and retain system audit logs and records to the extent needed to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity |
[ ] |
| 27 |
AU.L2-3.3.2 |
3.3.2 |
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable |
[ ] |
| 28 |
AU.L2-3.3.3 |
3.3.3 |
Review and update logged events |
[ ] |
| 29 |
AU.L2-3.3.4 |
3.3.4 |
Alert in the event of an audit logging process failure |
[ ] |
| 30 |
AU.L2-3.3.5 |
3.3.5 |
Correlate audit record review, analysis, and reporting processes for investigation and response |
[ ] |
| 31 |
AU.L2-3.3.6 |
3.3.6 |
Provide audit record reduction and report generation to support on-demand analysis and reporting |
[ ] |
| 32 |
AU.L2-3.3.7 |
3.3.7 |
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records |
[ ] |
| 33 |
AU.L2-3.3.8 |
3.3.8 |
Protect audit information and audit logging tools from unauthorized access, modification, and deletion |
[ ] |
| 34 |
AU.L2-3.3.9 |
3.3.9 |
Limit management of audit logging functionality to a subset of privileged users |
[ ] |
Configuration Management (CM) -- 9 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 35 |
CM.L2-3.4.1 |
3.4.1 |
Establish and maintain baseline configurations and inventories of organizational systems |
[ ] |
| 36 |
CM.L2-3.4.2 |
3.4.2 |
Establish and enforce security configuration settings for IT products employed in organizational systems |
[ ] |
| 37 |
CM.L2-3.4.3 |
3.4.3 |
Track, review, approve or disapprove, and log changes to organizational systems |
[ ] |
| 38 |
CM.L2-3.4.4 |
3.4.4 |
Analyze the security impact of changes prior to implementation |
[ ] |
| 39 |
CM.L2-3.4.5 |
3.4.5 |
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems |
[ ] |
| 40 |
CM.L2-3.4.6 |
3.4.6 |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities |
[ ] |
| 41 |
CM.L2-3.4.7 |
3.4.7 |
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services |
[ ] |
| 42 |
CM.L2-3.4.8 |
3.4.8 |
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software |
[ ] |
| 43 |
CM.L2-3.4.9 |
3.4.9 |
Control and monitor user-installed software |
[ ] |
Identification and Authentication (IA) -- 11 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 44 |
IA.L2-3.5.1 |
3.5.1 |
Identify system users, processes, and devices |
[ ] |
| 45 |
IA.L2-3.5.2 |
3.5.2 |
Authenticate (or verify) the identities of users, processes, or devices |
[ ] |
| 46 |
IA.L2-3.5.3 |
3.5.3 |
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts |
[ ] |
| 47 |
IA.L2-3.5.4 |
3.5.4 |
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts |
[ ] |
| 48 |
IA.L2-3.5.5 |
3.5.5 |
Prevent reuse of identifiers for a defined period |
[ ] |
| 49 |
IA.L2-3.5.6 |
3.5.6 |
Disable identifiers after a defined period of inactivity |
[ ] |
| 50 |
IA.L2-3.5.7 |
3.5.7 |
Enforce a minimum password complexity and change of characters when new passwords are created |
[ ] |
| 51 |
IA.L2-3.5.8 |
3.5.8 |
Prohibit password reuse for a specified number of generations |
[ ] |
| 52 |
IA.L2-3.5.9 |
3.5.9 |
Allow temporary password use for system logons with an immediate change to a permanent password |
[ ] |
| 53 |
IA.L2-3.5.10 |
3.5.10 |
Store and transmit only cryptographically-protected passwords |
[ ] |
| 54 |
IA.L2-3.5.11 |
3.5.11 |
Obscure feedback of authentication information |
[ ] |
Incident Response (IR) -- 3 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 55 |
IR.L2-3.6.1 |
3.6.1 |
Establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities |
[ ] |
| 56 |
IR.L2-3.6.2 |
3.6.2 |
Track, document, and report incidents to designated officials and/or authorities |
[ ] |
| 57 |
IR.L2-3.6.3 |
3.6.3 |
Test the organizational incident response capability |
[ ] |
Maintenance (MA) -- 6 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 58 |
MA.L2-3.7.1 |
3.7.1 |
Perform maintenance on organizational systems |
[ ] |
| 59 |
MA.L2-3.7.2 |
3.7.2 |
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance |
[ ] |
| 60 |
MA.L2-3.7.3 |
3.7.3 |
Ensure equipment removed for off-site maintenance is sanitized of any CUI |
[ ] |
| 61 |
MA.L2-3.7.4 |
3.7.4 |
Check media containing diagnostic and test programs for malicious code before the media are used in the organizational system |
[ ] |
| 62 |
MA.L2-3.7.5 |
3.7.5 |
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete |
[ ] |
| 63 |
MA.L2-3.7.6 |
3.7.6 |
Supervise the maintenance activities of maintenance personnel without required access authorization |
[ ] |
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 64 |
MP.L2-3.8.1 |
3.8.1 |
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital |
[ ] |
| 65 |
MP.L2-3.8.2 |
3.8.2 |
Limit access to CUI on system media to authorized users |
[ ] |
| 66 |
MP.L2-3.8.3 |
3.8.3 |
Sanitize or destroy system media containing CUI before disposal or release for reuse |
[ ] |
| 67 |
MP.L2-3.8.4 |
3.8.4 |
Mark media with necessary CUI markings and distribution limitations |
[ ] |
| 68 |
MP.L2-3.8.5 |
3.8.5 |
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas |
[ ] |
| 69 |
MP.L2-3.8.6 |
3.8.6 |
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards |
[ ] |
| 70 |
MP.L2-3.8.7 |
3.8.7 |
Control the use of removable media on system components |
[ ] |
| 71 |
MP.L2-3.8.8 |
3.8.8 |
Prohibit the use of portable storage devices when such devices have no identifiable owner |
[ ] |
| 72 |
MP.L2-3.8.9 |
3.8.9 |
Protect the confidentiality of backup CUI at storage locations |
[ ] |
Personnel Security (PS) -- 2 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 73 |
PS.L2-3.9.1 |
3.9.1 |
Screen individuals prior to authorizing access to systems containing CUI |
[ ] |
| 74 |
PS.L2-3.9.2 |
3.9.2 |
Ensure that CUI and systems containing CUI are protected during and after personnel actions such as terminations and transfers |
[ ] |
Physical Protection (PE) -- 6 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 75 |
PE.L2-3.10.1 |
3.10.1 |
Limit physical access to organizational systems, equipment, and operating environments to authorized individuals |
[ ] |
| 76 |
PE.L2-3.10.2 |
3.10.2 |
Protect and monitor the physical facility and support infrastructure |
[ ] |
| 77 |
PE.L2-3.10.3 |
3.10.3 |
Escort visitors and monitor visitor activity |
[ ] |
| 78 |
PE.L2-3.10.4 |
3.10.4 |
Maintain audit logs of physical access |
[ ] |
| 79 |
PE.L2-3.10.5 |
3.10.5 |
Control and manage physical access devices |
[ ] |
| 80 |
PE.L2-3.10.6 |
3.10.6 |
Enforce safeguarding measures for CUI at alternate work sites |
[ ] |
Risk Assessment (RA) -- 3 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 81 |
RA.L2-3.11.1 |
3.11.1 |
Periodically assess the risk to organizational operations, assets, and individuals resulting from the operation of organizational systems and the processing, storage, or transmission of CUI |
[ ] |
| 82 |
RA.L2-3.11.2 |
3.11.2 |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems are identified |
[ ] |
| 83 |
RA.L2-3.11.3 |
3.11.3 |
Remediate vulnerabilities in accordance with risk assessments |
[ ] |
Security Assessment (CA) -- 4 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 84 |
CA.L2-3.12.1 |
3.12.1 |
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application |
[ ] |
| 85 |
CA.L2-3.12.2 |
3.12.2 |
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems |
[ ] |
| 86 |
CA.L2-3.12.3 |
3.12.3 |
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls |
[ ] |
| 87 |
CA.L2-3.12.4 |
3.12.4 |
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems |
[ ] |
System and Communications Protection (SC) -- 16 Practices
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 88 |
SC.L2-3.13.1 |
3.13.1 |
Monitor, control, and protect communications at external boundaries and key internal boundaries |
[ ] |
| 89 |
SC.L2-3.13.2 |
3.13.2 |
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security |
[ ] |
| 90 |
SC.L2-3.13.3 |
3.13.3 |
Separate user functionality from system management functionality |
[ ] |
| 91 |
SC.L2-3.13.4 |
3.13.4 |
Prevent unauthorized and unintended information transfer via shared system resources |
[ ] |
| 92 |
SC.L2-3.13.5 |
3.13.5 |
Implement subnetworks for publicly accessible system components separated from internal networks |
[ ] |
| 93 |
SC.L2-3.13.6 |
3.13.6 |
Deny network communications traffic by default and allow by exception (deny all, permit by exception) |
[ ] |
| 94 |
SC.L2-3.13.7 |
3.13.7 |
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via other connections to external resources (split tunneling) |
[ ] |
| 95 |
SC.L2-3.13.8 |
3.13.8 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards |
[ ] |
| 96 |
SC.L2-3.13.9 |
3.13.9 |
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity |
[ ] |
| 97 |
SC.L2-3.13.10 |
3.13.10 |
Establish and manage cryptographic keys for cryptography employed in organizational systems |
[ ] |
| 98 |
SC.L2-3.13.11 |
3.13.11 |
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI |
[ ] |
| 99 |
SC.L2-3.13.12 |
3.13.12 |
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device |
[ ] |
| 100 |
SC.L2-3.13.13 |
3.13.13 |
Control and monitor the use of mobile code |
[ ] |
| 101 |
SC.L2-3.13.14 |
3.13.14 |
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies |
[ ] |
| 102 |
SC.L2-3.13.15 |
3.13.15 |
Protect the authenticity of communications sessions |
[ ] |
| 103 |
SC.L2-3.13.16 |
3.13.16 |
Protect the confidentiality of CUI at rest |
[ ] |
| # |
Practice ID |
NIST Ref |
Requirement |
Status |
| 104 |
SI.L2-3.14.1 |
3.14.1 |
Identify, report, and correct system flaws in a timely manner |
[ ] |
| 105 |
SI.L2-3.14.2 |
3.14.2 |
Provide protection from malicious code at designated locations within organizational systems |
[ ] |
| 106 |
SI.L2-3.14.3 |
3.14.3 |
Monitor system security alerts and advisories and take action in response |
[ ] |
| 107 |
SI.L2-3.14.4 |
3.14.4 |
Update malicious code protection mechanisms when new releases are available |
[ ] |
| 108 |
SI.L2-3.14.5 |
3.14.5 |
Perform periodic scans of organizational systems and real-time scans of files from external sources |
[ ] |
| 109 |
SI.L2-3.14.6 |
3.14.6 |
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks |
[ ] |
| 110 |
SI.L2-3.14.7 |
3.14.7 |
Identify unauthorized use of organizational systems |
[ ] |
Scoring Summary
| Domain |
Practices |
MET |
NOT MET |
PARTIAL |
Weighted Points |
| Access Control (AC) |
22 |
|
|
|
|
| Awareness and Training (AT) |
3 |
|
|
|
|
| Audit and Accountability (AU) |
9 |
|
|
|
|
| Configuration Management (CM) |
9 |
|
|
|
|
| Identification and Authentication (IA) |
11 |
|
|
|
|
| Incident Response (IR) |
3 |
|
|
|
|
| Maintenance (MA) |
6 |
|
|
|
|
| Media Protection (MP) |
9 |
|
|
|
|
| Personnel Security (PS) |
2 |
|
|
|
|
| Physical Protection (PE) |
6 |
|
|
|
|
| Risk Assessment (RA) |
3 |
|
|
|
|
| Security Assessment (CA) |
4 |
|
|
|
|
| System and Communications Protection (SC) |
16 |
|
|
|
|
| System and Information Integrity (SI) |
7 |
|
|
|
|
| Total |
110 |
|
|
|
|
SPRS Score: _____ / 110 (see DoD scoring methodology for weighted deductions)
Need help with CMMC Level 2? Contact Petronella Technology Group -- CMMC Registered Practitioner on staff, 2,500+ companies protected.