CMMC Level 2 Practices | Pass My CMMC

These pages cover the CMMC Level 2 practices that I’ve seen cause the most problems in real assessments. Most of them aren’t technically complex. They’re just hard to articulate when you’re sitting across from an assessor.

Each page follows the same structure: what the assessor is actually looking for, what a realistic SSP definition looks like, how to present your evidence, what gets flagged, and how shared responsibility works if you use an MSP or MSSP.

I’m adding new practices regularly. If you hit an acronym you don’t recognize, the glossary has you covered.

Who Has Access to CUI? How to Pass AC.L2-3.1.1

Limit system access to authorized users, processes acting on behalf of authorized users, and devices, and explain how you prove it.

AC.L2-3.1.2: Transaction & Function Control

Limit user actions to only what their job function requires

AC.L2-3.1.3: Control CUI Flow

Prevent CUI from moving to unauthorized systems, users, or locations

Separation of Duties for Small Contractors: AC.L2-3.1.4 Guide

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

AC.L2-3.1.5: Least Privilege

Employ the principle of least privilege, including for specific security functions and privileged accounts.

AC.L2-3.1.6: Non-Privileged Account Use

Require privileged users to use non-privileged accounts or roles when accessing nonsecurity functions.

AC.L2-3.1.7: Privileged Functions

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

AC.L2-3.1.8: Unsuccessful Logon Attempts

Limit unsuccessful logon attempts to protect against brute-force password attacks.

AC.L2-3.1.9: Privacy and Security Notices

Provide privacy and security notices consistent with applicable CUI rules before granting access to the system.

AC.L2-3.1.10: Session Lock

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

AC.L2-3.1.11: Session Termination

Lock sessions after a defined inactivity period to prevent unattended access to active user accounts.

AC.L2-3.1.12: Control Remote Access

Monitor and control all remote access sessions to systems handling CUI with an auditable log trail.

AC.L2-3.1.13: Remote Access Confidentiality

Employ cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

AC.L2-3.1.14: Remote Access Routing

Route remote access sessions through managed access control points and apply restrictions before reaching CUI systems.

AC.L2-3.1.15: Privileged Remote Access

Authorize remote execution of privileged commands through defined approval processes and maintain detailed audit trails.

AC.L2-3.1.16: Wireless Access Authorization

Authorize wireless access prior to allowing connections, and explain how you control who gets on your network.

AC.L2-3.1.17: Wireless Access Protection

Protect wireless access using authentication and encryption, and demonstrate that your wireless network actually requires both.

Mobile Device Access to CUI Systems: AC.L2-3.1.18 Guide

Control the connection of mobile devices to your systems, and demonstrate that you know which mobile devices can access what.

AC.L2-3.1.19: Encrypt CUI on Mobile Devices

Encrypt CUI stored on mobile devices and mobile computing platforms, and prove that encryption is actually enforced.

AC.L2-3.1.20: External Connections

Verify and control connections to external information systems, and explain how you prevent unauthorized data flow.

AC.L2-3.1.21: Portable Storage Use

Limit the use of portable storage devices on external systems, and explain how you prevent data leakage via USB, SD cards, and other removable media.

AC.L2-3.1.22: Control Public Information

Control information posted on publicly accessible systems, and explain how you prevent CUI from being exposed.

AT.L2-3.2.1: Security Awareness Training

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

AT.L2-3.2.2: Role-Based Training

Personnel with security duties receive training specific to their assigned information security responsibilities

AT.L2-3.2.3: Insider Threat Awareness

Provide security awareness training that addresses insider threats, including how to recognize and report suspicious behavior.

AU.L2-3.3.1: System Auditing

Create and retain system audit logs and records to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

AU.L2-3.3.2: User Accountability

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

AU.L2-3.3.3: Audit Review, Analysis, and Reporting

Regularly review and analyze audit logs to identify security events, then report findings to management.

Alerting When Audit Logging Fails: AU.L2-3.3.4 Guide

Alert system administrators and security personnel immediately when audit logging or analysis failures occur.

Log Correlation Across Systems: AU.L2-3.3.5 Guide

Correlate audit data from multiple sources to identify patterns and complex attack sequences that individual logs cannot detect.

Audit Log Filtering and Reporting: AU.L2-3.3.6 Guide

Create tools and processes to filter audit logs and generate reports that focus on security-relevant events rather than routine system activity.

AU.L2-3.3.7: Authoritative Time Source

Synchronize all system clocks to a reliable, authoritative time source so audit logs are trustworthy and events can be correlated accurately.

Protecting Audit Logs from Tampering: AU.L2-3.3.8 Guide

Protect audit logs from unauthorized access, modification, and deletion to preserve their integrity as evidence.

AU.L2-3.3.9: Audit Management

Limit audit log management functions (configuration, deletion, archival) to authorized individuals to prevent tampering.

Baseline Configs and System Inventory: CM.L2-3.4.1 Guide

Document and maintain the approved state of every system and keep an inventory of everything connected to your network

CM.L2-3.4.2: Security Configuration Enforcement

Establish and enforce security configuration settings for information technology products employed in organizational systems.

CM.L2-3.4.3: System Change Management

Track, review, and approve or disapprove changes to systems in the CUI boundary.

Assessing Risk Before Making Changes: CM.L2-3.4.4 Guide

Analyze the security impact of changes to information systems before implementation.

Who Can Make Changes to CUI Systems: CM.L2-3.4.5 Guide

Define, document, and enforce approval requirements for physical and logical access to systems.

CM.L2-3.4.6: Least Functionality

Employ the principle of least functionality by configuring systems to run only essential services and software.

CM.L2-3.4.7: Nonessential Functionality

Restrict or disable nonessential functions, ports, protocols, and services.

CM.L2-3.4.8: Application Execution Policy

Apply a deny-by-exception application execution policy to restrict software to authorized applications only.

CM.L2-3.4.9: User-Installed Software

Control user-installed software to prevent unauthorized applications from running on systems.

IA.L2-3.5.1: Identification

Identify system users, processes, and devices on your network and maintain a record of who or what has access.

MFA, Passwords, and Device Auth: IA.L2-3.5.2 Guide

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

IA.L2-3.5.3: Multifactor Authentication

Require multifactor authentication for privileged and network access.

IA.L2-3.5.4: Replay-Resistant Authentication

Implement authentication mechanisms that prevent replay attacks.

IA.L2-3.5.5: Identifier Management

Manage identifiers for users, processes, and devices throughout their lifecycle.

IA.L2-3.5.6: Identifier Deactivation

Disable identifiers when users, processes, or devices are no longer active.

IA.L2-3.5.7: Password Complexity

Enforce minimum password complexity for user authentication.

IA.L2-3.5.8: Password Reuse

Prohibit password reuse for a specified minimum number of generations.

IA.L2-3.5.9: Temporary Passwords

Establish temporary passwords and require a change upon first logon.

IA.L2-3.5.10: Cryptographically-Protected Passwords

Store and transmit passwords using approved cryptographic methods.

IA.L2-3.5.11: Obscure Feedback

Obscure authentication feedback to prevent information disclosure.

IR.L2-3.6.1: Incident Handling

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.2: Incident Reporting

Document and report confirmed incidents to internal leadership and external authorities as required

IR.L2-3.6.3: Test Incident Response

Test your incident response capability at least annually to ensure your team can execute the plan when a real incident occurs.

MA.L2-3.7.1: System Maintenance

Perform maintenance on organizational systems.

MA.L2-3.7.2: Maintenance Tools

Control and inspect tools used during maintenance to ensure they don't introduce malicious code or compromise system security.

MA.L2-3.7.3: Equipment Sanitization

Sanitize equipment containing CUI before removal from your facility for maintenance or repairs to prevent data exposure.

MA.L2-3.7.4: Media Inspection

Inspect media (drives, tapes, USB devices) used for maintenance or storage with diagnostic tools to detect malicious code.

MA.L2-3.7.5: Nonlocal Maintenance

Require multi-factor authentication (MFA) for any remote access by vendors or support personnel for maintenance purposes.

MA.L2-3.7.6: Maintenance Personnel

Supervise maintenance and repair activities performed by unauthorized or external personnel to prevent unauthorized system access.

MP.L2-3.8.1: Media Protection

Protect system media containing CUI by implementing physical and digital safeguards against unauthorized access, damage, and theft.

MP.L2-3.8.2: Media Access

Limit access to CUI on system media by restricting it to authorized users with a documented business need.

MP.L2-3.8.3: Media Sanitization

Sanitize or destroy media containing CUI before disposal or reuse to prevent unauthorized recovery of sensitive data.

MP.L2-3.8.4: Media Marking

Mark media with CUI indicators and distribution limitations to identify sensitivity and control distribution.

MP.L2-3.8.5: Media Accountability

Control access to media containing CUI during transport and maintain accountability through documented transfer procedures.

MP.L2-3.8.6: Portable Storage Encryption

Implement cryptographic mechanisms to protect CUI on portable storage devices such as external drives and USB sticks.

MP.L2-3.8.7: Removable Media

Control the use of removable media on system components to prevent unauthorized data transfer or loss of CUI.

MP.L2-3.8.8: Shared Media

Prohibit the use of portable storage without identifiable owner to prevent unauthorized data transfer and ensure accountability.

MP.L2-3.8.9: Protect Backups

Protect CUI at backup storage locations with the same controls as primary storage to prevent data loss or unauthorized access.

Personnel Screening for CUI Access: PS.L2-3.9.1 Guide

Conduct screening of individuals prior to granting access to systems or facilities containing CUI.

PS.L2-3.9.2: Personnel Actions

Protect CUI during personnel actions (terminations, transfers, role changes) by revoking access and securing data.

PE.L2-3.10.1: Limit Physical Access

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

PE.L2-3.10.2: Monitor Physical Facility

Maintain surveillance and environmental controls over your physical facility.

PE.L2-3.10.3: Escort Visitors

Escort visitors in secure areas and monitor their activity to prevent unauthorized access to CUI systems or facilities.

PE.L2-3.10.4: Physical Access Logs

Maintain audit logs of physical access to secure areas where CUI systems are located.

PE.L2-3.10.5: Manage Physical Access

Control physical access to output devices and storage media to prevent unauthorized access to CUI.

PE.L2-3.10.6: Alternative Work Sites

Enforce the same security safeguards at alternate work sites (home offices, remote locations) as you do at your primary facility.

RA.L2-3.11.1: Risk Assessments

Periodically assess the risk to organizational operations, assets, and individuals from operating systems that process, store, or transmit CUI.

RA.L2-3.11.2: Vulnerability Scanning

Scan for vulnerabilities periodically and when new vulnerabilities are identified.

RA.L2-3.11.3: Vulnerability Remediation

Remediate vulnerabilities in accordance with assessments of risk.

CA.L2-3.12.1: Security Control Assessment

Periodically assess security controls for effectiveness.

CA.L2-3.12.2: Plan of Action

Develop and implement plans of action to correct deficiencies.

CA.L2-3.12.3: Security Control Monitoring

Monitor security controls on an ongoing basis.

Writing Your SSP: System Security Plan Guide (CA.L2-3.12.4)

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

SC.L2-3.13.1: Boundary Protection

Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems.

SC.L2-3.13.2: Security Engineering Principles

Build security into your systems from the start, not as an afterthought

SC.L2-3.13.3: Security Function Isolation

Separate user functionality from system management.

SC.L2-3.13.4: Shared Resource Control

Prevent unauthorized or unintended information transfer via shared resources.

SC.L2-3.13.5: Public-Access System Separation

Deny network communications traffic by default on external interfaces.

SC.L2-3.13.6: Network Communication by Exception

Deny network communications by default, allow by exception.

Split Tunneling and VPN Requirements: SC.L2-3.13.7 Guide

Prevent remote devices from simultaneously establishing non-remote connections.

SC.L2-3.13.8: CUI in Transit

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission.

SC.L2-3.13.9: Network Disconnect

Terminate network connections at end of session or after inactivity.

SC.L2-3.13.10: Key Management

Establish and manage cryptographic keys.

SC.L2-3.13.11: CUI Encryption

Employ FIPS-validated cryptography for CUI.

Controlling Teams, Zoom, and Webcams: SC.L2-3.13.12 Guide

Prohibit remote activation of collaborative computing devices.

SC.L2-3.13.13: Mobile Code

Control and monitor the use of mobile code.

SC.L2-3.13.14: Voice over Internet Protocol

Control and monitor the use of VoIP.

SC.L2-3.13.15: Communications Authenticity

Protect the authenticity of communications sessions.

SC.L2-3.13.16: Data at Rest

Protect CUI at rest.

SI.L2-3.14.1: Flaw Remediation

Identify, report, and correct system flaws in a timely manner.

SI.L2-3.14.2: Malicious Code Protection

Provide protection from malicious code at designated locations within organizational systems.

SI.L2-3.14.3: Security Alerts

Monitor security alerts and advisories, act when appropriate.

SI.L2-3.14.4: Update Malicious Code Protection

Update malicious code protection mechanisms as new releases are available.

SI.L2-3.14.5: System and File Scanning

Perform periodic scans and real-time scans of files from external sources.

SI.L2-3.14.6: Monitor Communications

Monitor organizational systems, including inbound and outbound communications.

SI.L2-3.14.7: Identify Unauthorized Use

Identify unauthorized use of organizational systems.