CMMC COMPLIANCE CHECKLISTThis checklist assumes Level 3 requirements.Asset ManagementMechanisms exist to inventory system components that: Accurately reflects the current system; Is at the level of granularity deemed necessary for tracking and reporting; Includes organization-defined information deemed necessary to achieve effectiveproperty accountability; and Is available for review and audit by designated organizational officials.Mechanisms exist to implement and manage a Configuration Management Database (CMDB),or similar technology, to collect and manage asset-specific information.Business Continuity & Disaster RecoveryMechanisms exist to facilitate the implementation of contingency planning controls to helpensure resilient assets and services.Mechanisms exist to create recurring backups of data, software and system images to ensurethe availability of the data.Cryptographic mechanisms exist to prevent the unauthorized disclosure and modification ofbackup information.Change ManagementMechanisms exist to govern the technical configuration change control processes.Mechanisms exist to analyze proposed changes for potential security impacts, prior to theimplementation of the change.Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of usersto conduct unauthorized changes.Cloud SecurityMechanisms exist to host security-specific technologies in a dedicated subnet.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTComplianceMechanisms exist to provide a security controls oversight function.Mechanisms exist to regularly review assets for compliance with the organization’scybersecurity and privacy policies and standards.Configuration ManagementMechanisms exist to develop, document and maintain secure baseline configurations fortechnology platform that are consistent with industry-accepted system hardening standards.Mechanisms exist to respond to unauthorized changes to configuration settings as securityincidents.Mechanisms exist to configure systems to provide only essential capabilities by specificallyprohibiting or restricting the use of ports, protocols, and/or services.Mechanisms exist to periodically review system configurations to identify and disableunnecessary and/or non-secure functions, ports, protocols and services.Mechanisms exist to whitelist or blacklist applications in an order to limit what is authorized toexecute on systems.Mechanisms exist to prevent systems from creating split tunneling connections or similartechniques that could be used to exfiltrate data.Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.Cryptographic ProtectionsMechanisms exist to facilitate the implementation of cryptographic protections controls usingknown public standards and trusted cryptographic technologies.Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.Cryptographic mechanisms exist to prevent unauthorized disclosure of information at rest.Mechanisms exist to implement an internal Public Key Infrastructure (PKI) infrastructure orobtain PKI services from a reputable PKI service provider.Continuous MonitoringMechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automatedtool, to support near real-time analysis and the escalation of events.Mechanisms exist to continuously monitor inbound and outbound communications traffic forunusual or unauthorized activities or conditions.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTMechanisms exist to review event logs on an ongoing basis and escalate incidents inaccordance with established timelines and procedures.Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activitiesand assist incident handlers with identifying potentially compromised systems.Mechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automatedtool, to support the centralized collection of security-related event logs.Automated mechanisms exist to correlate logs from across the enterprise by a SecurityIncident Event Manager (SIEM) or similar automated tool, to maintain situational awareness.Automated mechanisms exist to centrally collect, review and analyze audit records frommultiple sources.Mechanisms exist to configure systems to produce audit records that contain sufficientinformation to, at a minimum: Establish what type of event occurred; When (date and time) the event occurred; Where the event occurred; The source of the event; The outcome (success or failure) of the event; and The identity of any user/subject associated with the event. Is available for review andaudit by designated organizational officials.Mechanisms exist to alert appropriate personnel in the event of a log processing failure andtake actions to remedy the incident.Mechanisms exist to provide an event log report generation capability to aid in detecting andassessing anomalous activities.Mechanisms exist to synchronize internal system clocks with an authoritative time source.Mechanisms exist to protect event logs and audit tools from unauthorized access, modificationand deletion.Mechanisms exist to restrict access to the management of event logs to privileged users with aspecific business need.Mechanisms exist to retain audit records for a time period consistent with records retentionrequirements to provide support for after-the-fact investigations of security incidents and tomeet statutory, regulatory and contractual retention requirements.Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC).Mechanisms exist to detect and respond to anomalous behavior that could indicate accountcompromise or other malicious activities.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTData Classification & HandlingMechanisms exist to facilitate the implementation of data protection controls.Mechanisms exist to control and restrict access to digital and non-digital media to authorizedindividuals.Mechanisms exist to mark media in accordance with data protection requirements so thatpersonnel are alerted to distribution limitations, handling caveats and applicable securityrequirements.Mechanisms exist to protect and control digital and non-digital media during transport outsideof controlled areas using appropriate security measures.Mechanisms exist to securely dispose of media when it is no longer required, using formalprocedures.Mechanisms exist to sanitize digital media with the strength and integrity commensurate withthe classification or sensitivity of the information prior to disposal, release out of organizationalcontrol or release for reuse.Mechanisms exist to restrict the use of types of digital media on systems or systemcomponents.Mechanisms exist to prohibit the use of portable storage devices in organizational informationsystems when such devices have no identifiable owner.Mechanisms exist to govern how external parties, systems and services are used to securelystore, process and transmit data.Mechanisms exist to restrict or prohibit the use of portable storage devices by users onexternal systems.Mechanisms exist to control publicly-accessible content.Endpoint SecurityMechanisms exist to protect the confidentiality, integrity, availability and safety of endpointdevices.Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.Mechanisms exist to automatically update antimalware technologies, including signaturedefinitions.Mechanisms exist to ensure that anti-malware technologies are continuously running in realtime and cannot be disabled or altered by non-privileged users, unless specifically authorizedby management on a case-by-case basis for a limited time period.Mechanisms exist to validate configurations through integrity checking of software andfirmware.Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and takeaction on unsolicited messages transported by electronic mail.Mechanisms exist to address mobile code / operating system-independent applications.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTEndpoint SecurityMechanisms exist to unplug or prohibit the remote activation of collaborative computingdevices with the following exceptions: Networked whiteboards; Video teleconference cameras; and Teleconference microphones.Human Resources SecurityMechanisms exist to manage personnel security risk by screening individuals prior toauthorizing access.Mechanisms exist to define rules of behavior that contain explicit restrictions on the use ofsocial media and networking sites, posting information on commercial websites and sharingaccount information.Mechanisms exist to adjust logical and physical access authorizations to systems and facilitiesupon personnel reassignment or transfer, in a timely manner.Mechanisms exist to govern the termination of individual employment.Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potentialmalevolent activity without collusion.Identification & AuthenticationMechanisms exist to uniquely identify and authenticate organizational users and processesacting on behalf of organizational users.Automated mechanisms exist to employ replay-resistant network access authentication.Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for: Remote network access; and/ or Non-console access to critical systems or systems that store, transmit and/or processsensitive data.Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network accessfor privileged accounts.Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network accessfor non-privileged accounts.Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate local access forprivileged accounts.Mechanisms exist to enforce a Role-Based Access Control (RBAC) policy over users andresources that applies need-to-know and fine-grained access control for sensitive data access.Mechanisms exist to govern naming standards for usernames and systems.Mechanisms exist to securely manage authenticators for users and devices.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTIdentification & AuthenticationMechanisms exist to enforce complexity, length and lifespan considerations to ensure strongcriteria for password-based authentication.Mechanisms exist to protect authenticators commensurate with the sensitivity of theinformation to which use of the authenticator permits access.Mechanisms exist to obscure the feedback of authentication information during theauthentication process to protect the information from possible exploitation/use byunauthorized individuals.Mechanisms exist to proactively govern account management of individual, group, system,application, guest and temporary accounts.Automated mechanisms exist to disable inactive accounts after an organization-defined timeperiod.Mechanisms exist to periodically review the privileges assigned to users to validate theneed for such privileges; and reassign or remove privileges, if necessary, to correctly reflectorganizational mission and business needs.Mechanisms exist to enforce logical access permissions through the principle of “leastprivilege.”Mechanisms exist to utilize the concept of least privilege, allowing only authorized access toprocesses necessary to accomplish assigned tasks in accordance with organizational businessfunctions.Mechanisms exist to prohibit privileged users from using privileged accounts, while performingnon-security functions.Mechanisms exist to prevent non-privileged users from executing privileged functionsto include disabling, circumventing or altering implemented security safeguards /countermeasures.Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user duringan organization-defined time period and automatically locks the account when the maximumnumber of unsuccessful attempts is exceeded.Mechanisms exist to initiate a session lock after an organization-defined time period ofinactivity, or upon receiving a request from a user and retain the session lock until the userreestablishes access using established identification and authentication methods.Automated mechanisms exist to log out users, both locally on the network and for remotesessions, at the end of the session or after an organization-defined period of inactivity.Mobile Device ManagementMechanisms exist to enforce access control requirements for the connection of mobile devicesto organizational systems.Cryptographic mechanisms exist to protect the confidentiality and integrity of information onmobile devices through full-device or container encryption.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTIncident ResponseMechanisms exist to cover the preparation, automated detection or intake of incidentreporting, analysis, containment, eradication and recovery.Automated mechanisms exist to support the incident handling process.Mechanisms exist to formally test incident response capabilities through realistic exercises todetermine the operational effectiveness of those capabilities.Mechanisms exist to establish an integrated team of cybersecurity, IT and business functionrepresentatives that are capable of addressing cybersecurity and privacy incident responseoperations.Mechanisms exist to perform digital forensics and maintain the integrity of the chain ofcustody, in accordance with applicable laws, regulations and industry-recognized securepractices.Mechanisms exist to document, monitor and report the status of cybersecurity and privacyincidents to internal stakeholders all the way through the resolution of the incident.Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurityand privacy incidents to reduce the likelihood or impact of future incidents.Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentiallymalicious files and email attachments.Information AssuranceMechanisms exist to generate System Security & Privacy Plans (SSPPs), or similar documentrepositories, to identify and maintain key architectural information on each critical system,application or service, as well as influence inputs, entities, systems, applications and processes,providing a historical record of the data and its origins.Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar riskregister, to document planned remedial actions to correct weaknesses or deficienciesnoted during the assessment of the security controls and to reduce or eliminate knownvulnerabilities.MaintenanceMechanisms exist to conduct controlled maintenance activities throughout the lifecycle of thesystem, application or service.Mechanisms exist to control and monitor the use of system maintenance tools.Mechanisms exist to check media containing diagnostic and test programs for malicious codebefore the media are used.Mechanisms exist to authorize, monitor and control remote, non-local maintenance anddiagnostic activities.Mechanisms exist to maintain a current list of authorized maintenance organizations orpersonnel.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTNetwork SecurityMechanisms exist to implement security functions as a layered structure that minimizesinteractions between layers of the design and avoiding any dependence by lower layers on thefunctionality or correctness of higher layers.Mechanisms exist to monitor and control communications at the external network boundaryand at key internal boundaries within the network.Mechanisms exist to configure firewall and router configurations to deny network traffic bydefault and allow network traffic by exception (e.g., deny all, permit by exception).Mechanisms exist to logically or physically segment information flows to accomplish networksegmentation.Mechanisms exist to terminate remote sessions at the end of the session or after anorganization-defined time period of inactivity.Mechanisms exist to protect the authenticity and integrity of communications sessions.Mechanisms exist to perform data origin authentication and data integrity verification on theDomain Name Service (DNS) resolution responses received from authoritative sources whenrequested by client systems.Mechanisms exist to protect the confidentiality, integrity and availability of electronicmessaging communications.Automated mechanisms exist to monitor and control remote access sessions.Cryptographic mechanisms exist to protect the confidentiality and integrity of remote accesssessions.Mechanisms exist to route all remote accesses through managed network access controlpoints (e.g., VPN concentrator).Mechanisms exist to restrict the execution of privileged commands and access to securityrelevant information via remote access only for compelling operational needs.Mechanisms exist to control authorized wireless usage and monitor for unauthorized wirelessaccess.Mechanisms exist to exist to protect wireless access through authentication and strongencryption.Mechanisms exist to force Internet-bound network traffic through a proxy device for URLcontent filtering and DNS filtering to limit a user’s ability to connect to dangerous orprohibited Internet sites.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTPhysical & Environmental SecurityMechanisms exist to facilitate the operation of physical and environmental protection controls.Physical access control mechanisms exist to maintain a current list of personnel with authorizedaccess to organizational facilities (except for those areas within the facility officially designatedas publicly accessible).Physical access control mechanisms exist to enforce physical access authorizations for allphysical access points (including designated entry/exit points) to facilities (excluding thoseareas within the facility officially designated as publicly accessible).Physical access control mechanisms exist to generate a log entry for each access throughcontrolled ingress and egress points.Physical access control mechanisms exist to identify, authorize and monitor visitors beforeallowing access to the facility (other than areas designated as publicly accessible).Physical access control mechanisms exist to restrict un-escorted access to facilities topersonnel with required security clearances, formal access authorizations and validated theneed for access.Physical security mechanisms exist to utilize appropriate management, operational andtechnical controls at alternate work sites.Project & Resource ManagementMechanisms exist to establish a strategic cybersecurity and privacy-specific business plan andset of objectives to achieve that plan.Risk ManagementMechanisms exist to conduct recurring assessments of risk that includes the likelihood andmagnitude of harm, from unauthorized access, use, disclosure, disruption, modification ordestruction of the organization’s systems and data.Mechanisms exist to remediate risks to an acceptable level.Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associatedwith the development, acquisition, maintenance and disposal of systems, system componentsand services, including documenting selected mitigating actions and monitoring performanceagainst those plans.Security OperationsMechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitatesa 24x7 response capability.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTSecure Engineering & ArchitectureMechanisms exist to facilitate the implementation of industry-recognized security and privacypractices in the specification, design, development, implementation and modification ofsystems and services.Mechanisms exist to separate user functionality from system management functionality.Mechanisms exist to prevent unauthorized and unintended information transfer via sharedsystem resources.Mechanisms exist to utilize system use notification / logon banners that display an approvedsystem use notification message or banner before granting access to the system that providesprivacy and security notices.Security Awareness & TrainingMechanisms exist to provide all employees and contractors appropriate awareness educationand training that is relevant for their job function.Mechanisms exist to simulate actual cyberattacks through practical exercises that are alignedwith current threat scenarios are included in training.Mechanisms exist to include awareness training on recognizing and reporting potential andactual instances of social engineering and social mining.Mechanisms exist to provide role-based security-related training: Before authorizing access to the system or performing assigned duties; When required by system changes; and Annually thereafter.Mechanisms exist to ensure that every user accessing a system processing, storing ortransmitting sensitive information is formally trained in data handling requirements.Technology Development & AcquisitionMechanisms exist to require system developers/integrators consult with cybersecurity andprivacy personnel to: Create and implement a Security Test and Evaluation (ST&E) plan; Implement a verifiable flaw remediation process to correct weaknesses and deficienciesidentified during the security testing and evaluation process; and Document the results of the security testing/evaluation and flaw remediation processes.Mechanisms exist to prevent unsupported systems by: Replacing systems when support for the components is no longer available from thedeveloper, vendor or manufacturer; and Requiring justification and documented approval for the continued use of unsupportedsystem components required to satisfy mission/business needs.Need help getting started with CMMC compliance? Click here to request a consultation.

CMMC COMPLIANCE CHECKLISTThreat ManagementMechanisms exist to implement a threat intelligence program that includes a crossorganization information-sharing capability that can influence the development of the systemand security architectures, selection of security solutions, monitoring, threat hunting, responseand recovery activities.Mechanisms exist to maintain situational awareness of evolving threats by leveraging theknowledge of attacker tactics, techniques and procedures to facilitate the implementation ofpreventative and compensating controls.Mechanisms exist to utilize security awareness training on recognizing and reporting potentialindicators of insider threat.Vulnerability & Patch ManagementMechanisms exist to facilitate the implementation and monitoring of vulnerabilitymanagement controls.Mechanisms exist to conduct penetration testing on systems and web applications.Mechanisms exist to utilize “red team” exercises to simulate attempts by adversaries tocompromise systems and applications in accordance with organization-defined rules ofengagement.Confidently meet compliance requirements with a CMMC ComplianceConsultation.As a NIST Consultant, we help Department of Defense (DoD) contractors throughout the U.S.implement the NIST 800-171 cybersecurity framework in order to comply with DFARS and preparefor an upcoming CMMC audit.GET .com 877.659.2261

Mechanisms exist to implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider. . reporting, analysis, containment, eradication and recovery. Mechanisms exist to conduct controlled maintenance activities throughout the lifecycle of the system, application or service. .