CMMC 2.13
CMMC Practices
Each practice, grouped by domain and cross-referenced to the NIST controls that support it.
110 practices
AC
Access Control22AC.L2-3.1.1Authorized Access Control [CUI Data]1 refL2AC.L2-3.1.2Transaction & Function Control [CUI Data]1 refL2AC.L2-3.1.3Control CUI Flow1 refL2AC.L2-3.1.4Separation of Duties1 refL2AC.L2-3.1.5Least Privilege1 refL2AC.L2-3.1.6Non-Privileged Account Use1 refL2AC.L2-3.1.7Privileged Functions1 refL2AC.L2-3.1.8Unsuccessful Logon Attempts1 refL2AC.L2-3.1.9Privacy & Security Notices1 refL2AC.L2-3.1.10Session Lock1 refL2AC.L2-3.1.11Session Termination1 refL2AC.L2-3.1.12Control Remote Access1 refL2AC.L2-3.1.13Remote Access Confidentiality1 refL2AC.L2-3.1.14Remote Access Routing1 refL2AC.L2-3.1.15Privileged Remote Access1 refL2AC.L2-3.1.16Wireless Access Authorization1 refL2AC.L2-3.1.17Wireless Access Protection1 refL2AC.L2-3.1.18Mobile Device Connection1 refL2AC.L2-3.1.19Encrypt CUI on Mobile1 refL2AC.L2-3.1.20External Connections [CUI Data]1 refL2AC.L2-3.1.21Portable Storage Use1 refL2AC.L2-3.1.22Control Public Information [CUI Data]1 refL2
AT
Awareness & Training3AU
Audit & Accountability9AU.L2-3.3.1System Auditing1 refL2AU.L2-3.3.2User Accountability1 refL2AU.L2-3.3.3Event Review1 refL2AU.L2-3.3.4Audit Failure Alerting1 refL2AU.L2-3.3.5Audit Correlation1 refL2AU.L2-3.3.6Reduction & Reporting1 refL2AU.L2-3.3.7Authoritative Time Source1 refL2AU.L2-3.3.8Audit Protection1 refL2AU.L2-3.3.9Audit Management1 refL2
CM
Configuration Management9CM.L2-3.4.1System Baselining1 refL2CM.L2-3.4.2Security Configuration Enforcement1 refL2CM.L2-3.4.3System Change Management1 refL2CM.L2-3.4.4Security Impact Analysis1 refL2CM.L2-3.4.5Access Restrictions for Change1 refL2CM.L2-3.4.6Least Functionality1 refL2CM.L2-3.4.7Nonessential Functionality1 refL2CM.L2-3.4.8Application Execution Policy1 refL2CM.L2-3.4.9User-Installed Software1 refL2
IA
Identification & Authentication11IA.L2-3.5.1Identification [CUI Data]1 refL2IA.L2-3.5.2Authentication [CUI Data]1 refL2IA.L2-3.5.3Multifactor Authentication1 refL2IA.L2-3.5.4Replay-Resistant Authentication1 refL2IA.L2-3.5.5Identifier Reuse1 refL2IA.L2-3.5.6Identifier Handling1 refL2IA.L2-3.5.7Password Complexity1 refL2IA.L2-3.5.8Password Reuse1 refL2IA.L2-3.5.9Temporary Passwords1 refL2IA.L2-3.5.10Cryptographically-Protected Passwords1 refL2IA.L2-3.5.11Obscure Feedback1 refL2
IR
Incident Response3MA
Maintenance6MP
Media Protection9MP.L2-3.8.1Media Protection1 refL2MP.L2-3.8.2Media Access1 refL2MP.L2-3.8.3Media Disposal [CUI Data]1 refL2MP.L2-3.8.4Media Markings1 refL2MP.L2-3.8.5Media Accountability1 refL2MP.L2-3.8.6Portable Storage Encryption1 refL2MP.L2-3.8.7Removable Media1 refL2MP.L2-3.8.8Shared Media1 refL2MP.L2-3.8.9Protect Backups1 refL2
PS
Personnel Security2PE
Physical Protection6RA
Risk Assessment3CA
Security Assessment4SC
System & Communications Protection16SC.L2-3.13.1Boundary Protection [CUI Data]1 refL2SC.L2-3.13.2Security Engineering1 refL2SC.L2-3.13.3Role Separation1 refL2SC.L2-3.13.4Shared Resource Control1 refL2SC.L2-3.13.5Public-Access System Separation [CUI Data]1 refL2SC.L2-3.13.6Network Communication by Exception1 refL2SC.L2-3.13.7Split Tunneling1 refL2SC.L2-3.13.8Data in Transit1 refL2SC.L2-3.13.9Connections Termination1 refL2SC.L2-3.13.10Key Management1 refL2SC.L2-3.13.11CUI Encryption1 refL2SC.L2-3.13.12Collaborative Device Control1 refL2SC.L2-3.13.13Mobile Code1 refL2SC.L2-3.13.14Voice over Internet Protocol1 refL2SC.L2-3.13.15Communications Authenticity1 refL2SC.L2-3.13.16Data at Rest1 refL2
SI
System & Information Integrity7SI.L2-3.14.1Flaw Remediation [CUI Data]1 refL2SI.L2-3.14.2Malicious Code Protection [CUI Data]1 refL2SI.L2-3.14.3Security Alerts & Advisories1 refL2SI.L2-3.14.4Update Malicious Code Protection [CUI Data]1 refL2SI.L2-3.14.5System & File Scanning [CUI Data]1 refL2SI.L2-3.14.6Monitor Communications for Attacks1 refL2SI.L2-3.14.7Identify Unauthorized Use1 refL2
Looking for the underlying standards? Browse NIST SP 800-171, 800-172 & 800-53 →