← All Domains

AC — Access Control

new org

SPRS Score: -1203

Objective Progress 0 / 70 (0.0%)
CMMC Practices MET 0 / 22
Domain Score Impact -54

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

AC.L1-3.1.1 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.1[a] = Not Yet Assessed; 3.1.1[b] = Not Yet Assessed; 3.1.1[c] = Not Yet Assessed; 3.1.1[d] = Not Yet Assessed; 3.1.1[e] = Not Yet Assessed; 3.1.1[f] = Not Yet Assessed

Assessment Objectives (6)

  • 3.1.1[a]
    Determine if: authorized users are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.1[b]
    Determine if: processes acting on behalf of authorized users are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.1[c]
    Determine if: devices (including other systems) authorized to connect to the system are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.1[d]
    Determine if: system access is limited to authorized users.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.1[e]
    Determine if: system access is limited to processes acting on behalf of authorized users.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.1[f]
    Determine if: system access is limited to authorized devices (including other systems).
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing account management; security plan; system design documentation; system configuration settings and associated documentation; list of active system accounts and the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; system monitoring records; system audit logs and records; other relevant documents or records; list of devices and other systems authorized to connect to organizational systems].
Interview: [SELECT FROM: Personnel with account management responsibilities; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for managing system accounts; mechanisms for implementing account management].
AC.L1-3.1.2 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.2[a] = Not Yet Assessed; 3.1.2[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.2[a]
    Determine if: the types of transactions and functions that authorized users are permitted to execute are defined
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.2[b]
    Determine if: system access is limited to the defined types of transactions and functions for authorized users.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; security plan; system design documentation; list of approved authorizations (user privileges) including remote access authorizations; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing access control policy].
AC.L2-3.1.3 DoD Weight: 1 Deduction: -1 Derived
Not Yet Assessed
Requirement: Control the flow of CUI in accordance with approved authorizations.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.3[a] = Not Yet Assessed; 3.1.3[b] = Not Yet Assessed; 3.1.3[c] = Not Yet Assessed; 3.1.3[d] = Not Yet Assessed; 3.1.3[e] = Not Yet Assessed

Assessment Objectives (5)

  • 3.1.3[a]
    Determine if: information flow control policies are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.3[b]
    Determine if: methods and enforcement mechanisms for controlling the flow of CUI are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.3[c]
    Determine if: designated sources and destinations (e.g., networks, individuals, and devices) for CUI within systems and between interconnected systems are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.3[d]
    Determine if: authorizations for controlling the flow of CUI are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.3[e]
    Determine if: approved authorizations for controlling the flow of CUI are enforced.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; security plan; system design documentation; system configuration settings and associated documentation; list of information flow authorizations; system baseline configuration; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing information flow enforcement policy].
AC.L2-3.1.4 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.4[a] = Not Yet Assessed; 3.1.4[b] = Not Yet Assessed; 3.1.4[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.1.4[a]
    Determine if: the duties of individuals requiring separation to reduce the risk of malevolent activity are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.4[b]
    Determine if: organization-defined duties of individuals requiring separation are separated.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.4[c]
    Determine if: separate accounts for individuals whose duties and accesses must be separated to reduce the risk of malevolent activity or collusion are established
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing divisions of responsibility and separation of duties; security plan; system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; system access authorizations; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for defining divisions of responsibility and separation of duties; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing separation of duties policy].
AC.L2-3.1.5 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Employ the principle of least privilege, including for specific security functions and privileged accounts.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.5[a] = Not Yet Assessed; 3.1.5[b] = Not Yet Assessed; 3.1.5[c] = Not Yet Assessed; 3.1.5[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.1.5[a]
    Determine if: privileged accounts are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.5[b]
    Determine if: access to privileged accounts is authorized in accordance with the principle of least privilege.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.5[c]
    Determine if: security functions are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.5[d]
    Determine if: access to security functions is authorized in accordance with the principle of least privilege.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing account management; security plan; system design documentation; system configuration settings and associated documentation; list of active system accounts and the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; system monitoring/audit records; other relevant documents or records; procedures addressing least privilege; list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized; list of system-generated privileged accounts; list of system administration personnel].
Interview: [SELECT FROM: Personnel with account management responsibilities; system or network administrators; personnel with information security responsibilities; personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].
Test: [SELECT FROM: Organizational processes for managing system accounts; mechanisms for implementing account management; mechanisms implementing least privilege functions; mechanisms prohibiting privileged access to the system].
AC.L2-3.1.6 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Use non-privileged accounts or roles when accessing nonsecurity functions.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.6[a] = Not Yet Assessed; 3.1.6[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.6[a]
    Determine if: nonsecurity functions are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.6[b]
    Determine if: users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; security plan; list of system-generated security functions assigned to system accounts or roles; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for defining least privileges necessary to accomplish specified organizational tasks; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing least privilege functions].
AC.L2-3.1.7 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.7[a] = Not Yet Assessed; 3.1.7[b] = Not Yet Assessed; 3.1.7[c] = Not Yet Assessed; 3.1.7[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.1.7[a]
    Determine if: privileged functions are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.7[b]
    Determine if: non-privileged users are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.7[c]
    Determine if: non-privileged users are prevented from executing privileged functions.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.7[d]
    Determine if: the execution of privileged functions is captured in audit logs.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; security plan; system design documentation; list of privileged functions and associated user account assignments; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing least privilege functions for non-privileged users; mechanisms auditing the execution of privileged functions].
AC.L2-3.1.8 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Limit unsuccessful logon attempts.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.8[a] = Not Yet Assessed; 3.1.8[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.8[a]
    Determine if: the means of limiting unsuccessful logon attempts is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.8[b]
    Determine if: the defined means of limiting unsuccessful logon attempts is implemented.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with information security responsibilities; system developers; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing access control policy for unsuccessful logon attempts].
AC.L2-3.1.9 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Provide privacy and security notices consistent with applicable CUI rules.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.9[a] = Not Yet Assessed; 3.1.9[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.9[a]
    Determine if: privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.9[b]
    Determine if: privacy and security notices are displayed.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: SELECT FROM: Access control policy; privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit logs and records; system design documentation; user acknowledgements of notification message or banner; security plan; system use notification messages; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibility for providing legal advice; system developers].
Test: [SELECT FROM: Mechanisms implementing system use notification].
AC.L2-3.1.10 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.10[a] = Not Yet Assessed; 3.1.10[b] = Not Yet Assessed; 3.1.10[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.1.10[a]
    Determine if: the period of inactivity after which the system initiates a session lock is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.10[b]
    Determine if: access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.10[c]
    Determine if: previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing session lock; procedures addressing identification and authentication; system design documentation; system configuration settings and associated documentation; security plan; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing access control policy for session lock].
AC.L2-3.1.11 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Terminate (automatically) a user session after a defined condition.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.11[a] = Not Yet Assessed; 3.1.11[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.11[a]
    Determine if: conditions requiring a user session to terminate are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.11[b]
    Determine if: a user session is automatically terminated after any of the defined conditions occur.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing session termination; system design documentation; security plan; system configuration settings and associated documentation; list of conditions or trigger events requiring session disconnect; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing user session termination].
AC.L2-3.1.12 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Monitor and control remote access sessions.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.12[a] = Not Yet Assessed; 3.1.12[b] = Not Yet Assessed; 3.1.12[c] = Not Yet Assessed; 3.1.12[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.1.12[a]
    Determine if: remote access sessions are permitted.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.12[b]
    Determine if: the types of permitted remote access are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.12[c]
    Determine if: remote access sessions are controlled.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.12[d]
    Determine if: remote access sessions are monitored.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing remote access implementation and usage (including restrictions); configuration management plan; security plan; system configuration settings and associated documentation; remote access authorizations; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for managing remote access connections; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Remote access management capability for the system].
AC.L2-3.1.13 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.13[a] = Not Yet Assessed; 3.1.13[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.13[a]
    Determine if: cryptographic mechanisms to protect the confidentiality of remote access sessions are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.13[b]
    Determine if: cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the system; security plan; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Cryptographic mechanisms protecting remote access sessions].
AC.L2-3.1.14 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Route remote access via managed access control points.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.14[a] = Not Yet Assessed; 3.1.14[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.14[a]
    Determine if: managed access control points are identified and implemented.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.14[b]
    Determine if: remote access is routed through managed network access control points.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the system; security plan; system design documentation; list of all managed network access control points; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms routing all remote accesses through managed network access control points].
AC.L2-3.1.15 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Authorize remote execution of privileged commands and remote access to security-relevant information.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.15[a] = Not Yet Assessed; 3.1.15[b] = Not Yet Assessed; 3.1.15[c] = Not Yet Assessed; 3.1.15[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.1.15[a]
    Determine if: privileged commands authorized for remote execution are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.15[b]
    Determine if: security-relevant information authorized to be accessed remotely is identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.15[c]
    Determine if: the execution of the identified privileged commands via remote access is authorized.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.15[d]
    Determine if: access to the identified security-relevant information via remote access is authorized.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the system; system configuration settings and associated documentation; security plan; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms implementing remote access management].
AC.L2-3.1.16 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Authorize wireless access prior to allowing such connections.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.16[a] = Not Yet Assessed; 3.1.16[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.16[a]
    Determine if: wireless access points are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.16[b]
    Determine if: wireless access is authorized prior to allowing such connections.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; configuration management plan; procedures addressing wireless access implementation and usage (including restrictions); security plan; system design documentation; system configuration settings and associated documentation; wireless access authorizations; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for managing wireless access connections; personnel with information security responsibilities].
Test: [SELECT FROM: Wireless access management capability for the system].
AC.L2-3.1.17 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Protect wireless access using authentication and encryption.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.17[a] = Not Yet Assessed; 3.1.17[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.17[a]
    Determine if: wireless access to the system is protected using encryption.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.17[b]
    Determine if: wireless access to the system is protected using authentication.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; system design documentation; procedures addressing wireless implementation and usage (including restrictions); security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing wireless access protections to the system].
AC.L2-3.1.18 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Control connection of mobile devices.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.18[a] = Not Yet Assessed; 3.1.18[b] = Not Yet Assessed; 3.1.18[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.1.18[a]
    Determine if: mobile devices that process, store, or transmit CUI are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.18[b]
    Determine if: the connection of mobile devices is authorized.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.18[c]
    Determine if: mobile device connections are monitored and logged.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; authorizations for mobile device connections to organizational systems; procedures addressing access control for mobile device usage (including restrictions); system design documentation; configuration management plan; security plan; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel using mobile devices to access organizational systems; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Access control capability authorizing mobile device connections to organizational systems].
AC.L2-3.1.19 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Encrypt CUI on mobile devices and mobile computing platforms.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.19[a] = Not Yet Assessed; 3.1.19[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.1.19[a]
    Determine if: mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.19[b]
    Determine if: encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
    Update objective finding / evidence
    Not Yet Assessed
AC.L2-3.1.20 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Verify and control/limit connections to and use of external systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.20[a] = Not Yet Assessed; 3.1.20[b] = Not Yet Assessed; 3.1.20[c] = Not Yet Assessed; 3.1.20[d] = Not Yet Assessed; 3.1.20[e] = Not Yet Assessed; 3.1.20[f] = Not Yet Assessed

Assessment Objectives (6)

  • 3.1.20[a]
    Determine if: connections to external systems are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.20[b]
    Determine if: use of external systems is identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.20[c]
    Determine if: connections to external systems are verified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.20[d]
    Determine if: use of external systems is verified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.20[e]
    Determine if: connections to external systems are controlled/limited.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.20[f]
    Determine if: use of external systems is controlled/limited.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; terms and conditions for external systems; security plan; list of types of applications accessible from external systems; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms implementing terms and conditions on use of external systems].
AC.L2-3.1.21 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Limit use of organizational portable storage devices on external systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.21[a] = Not Yet Assessed; 3.1.21[b] = Not Yet Assessed; 3.1.21[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.1.21[a]
    Determine if: use of organizational portable storage devices containing CUI on external systems is identified and documented.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.21[b]
    Determine if: limits on the use of organizational portable storage devices containing CUI on external systems are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.21[c]
    Determine if: use of organizational portable storage devices containing CUI on external systems is limited as defined.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; security plan; system configuration settings and associated documentation; system connection or processing agreements; account management documents; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external systems; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms implementing restrictions on use of portable storage devices].
AC.L2-3.1.22 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Control CUI posted or processed on publicly accessible systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.1.22[a] = Not Yet Assessed; 3.1.22[b] = Not Yet Assessed; 3.1.22[c] = Not Yet Assessed; 3.1.22[d] = Not Yet Assessed; 3.1.22[e] = Not Yet Assessed

Assessment Objectives (5)

  • 3.1.22[a]
    Determine if: individuals authorized to post or process information on publicly accessible systems are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.22[b]
    Determine if: procedures to ensure CUI is not posted or processed on publicly accessible systems are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.22[c]
    Determine if: a review process in in place prior to posting of any content to publicly accessible systems.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.22[d]
    Determine if: content on publicly accessible information systems is reviewed to ensure that it does not include CUI.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.1.22[e]
    Determine if: mechanisms are in place to remove and address improper posting of CUI.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Access control policy; procedures addressing publicly accessible content; security plan; list of users authorized to post publicly accessible content on organizational systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs and records; security awareness training records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for managing publicly accessible information posted on organizational systems; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms implementing management of publicly accessible content].