CMMC Compliance With Smallstep SSH
Smallstep SSH delivers on CMMC compliance and audits. Use the table below to identify the DoD Cybersecurity Maturity Model Certification numbers Smalstep SSH can solve for you today.
Talk with Smallstep
| Capacity | # | Practice | CMMC 1 | CMMC 3 | CMMC 5 | NIST 800-53 R5 | DSP 2020.4 |
|---|---|---|---|---|---|---|---|
| C001 Establish system access requirements | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems). | AC_2, AC-3, AC-17 | IAC-20 | |||
| C002 Control internal system access | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | AC_2, AC-3, AC-17 | IAC-15 | |||
| C002 Control internal system access | AC.2.007 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | N/A | AC-6, AC-6(1), AC-6(5) | IAC-21 | ||
| C002 Control internal system access | AC.2.008 | Use non-privileged accounts or roles when accessing nonsecurity functions. | N/A | AC-6(2) | IAC-21.2 | ||
| C002 Control internal system access | AC.2.009 | Limit unsuccessful logon attempts. | N/A | AC-7 | IAC-22 | ||
| C002 Control internal system access | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | N/A | AC-5 | HRS-11 | ||
| C002 Control internal system access | AC.3.018 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | N/A | AC-6(9), AC-6(10) | IAC-21.5 | ||
| C002 Control internal system access | AC.3.019 | Terminate (automatically) user sessions after a defined condition. | N/A | AC-12 | IAC-25 | ||
| C003 Control remote system access | AC.2.013 | Monitor and control remote access sessions. | N/A | AC-17(1) | NET-14.1 | ||
| C003 Control remote system access | AC.3.014 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | N/A | AC-17(2) | NET-14.2 | ||
| C004 Limit data access to authorized users and processes | AC.1.003 | Verify and control/limit connections to and use of external information systems. | AC-20, AC-20(1) | DCH-13 | |||
| C007 Define audit requirements | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | N/A | AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12 | MON-03 | ||
| C007 Define audit requirements | AU.3.045 | Review and update logged events. | N/A | AU-2 | MON-01.8 | ||
| C008 Perform auditing | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity. | N/A | AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12 | MON-10 | ||
| C008 Perform auditing | AU.2.043 | Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. | N/A | AU-8, SC-45(1) | MON-07.1 | ||
| C008 Perform auditing | AU.3.048 | Collect audit information (e.g., logs) into one or more central repositories. | N/A | AU-6(4) | MON-02 | ||
| C013 Establish configuration baselines | CM.2.061 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware and documentation) throughout the respective system development life cycles. | N/A | CM-2, CM-6, CM-8, CM-8(1) | AST-02 | ||
| C015 Grant access to authenticated entities | IA.1.076 | Identify information system users, processes acting on behalf of users or devices. | IA-2, IA-3, IA-6 | IAC-02 | |||
| C015 Grant access to authenticated entities | IA.1.077 | Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems. | IA-2, IA-3, IA-5 | IAC-02 | |||
| C015 Grant access to authenticated entities | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | N/A | IA-5(1) | IAC-10.1 | ||
| C015 Grant access to authenticated entities | IA.2.079 | Prohibit password reuse for a specified number of generations. | N/A | IA-5(1) | IAC-10 | ||
| C015 Grant access to authenticated entities | IA.2.080 | Allow temporary password use for system logons with an immediate change to a permanent password. | N/A | IA-5(1) | IAC-10 | ||
| C015 Grant access to authenticated entities | IA.2.081 | Store and transmit only cryptographicallyprotected passwords. | N/A | IA-5(1) | IAC-10.5 | ||
| C015 Grant access to authenticated entities | IA.2.082 | Obscure feedback of authentication information. | N/A | IA-6 | IAC-11 | ||
| C015 Grant access to authenticated entities | IA.3.083 | Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | N/A | IA-2(1), IA-2(2) | IAC-06 | ||
| C015 Grant access to authenticated entities | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | N/A | IA-2(8) | IAC-02.2 | ||
| C015 Grant access to authenticated entities | IA.3.085 | Prevent the reuse of identifiers for a defined period. | N/A | IA-4 | IAC-09 | ||
| C015 Grant access to authenticated entities | IA.3.086 | Disable identifiers after a defined period of inactivity. | N/A | IA-4 | IAC-15.3 | ||
| C017 Detect and report events | IR.2.093 | Detect and report events. | N/A | AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6 | IRO-09 | ||
| C019 Perform post incident reviews | IR.2.097 | Perform root cause analysis on incidents to determine underlying causes. | N/A | AU-2, IR-4 | IRO-13 | ||
| C020 Test incident response | IR.3.099 | Test the organizational incident response capability. | N/A | IR-3 | IRO-06 | ||
| C020 Test incident response | IR.5.110 | Perform unannounced operational exercises to demonstrate technical and procedural responses. | N/A | N/A | IR-2 | IRO-06 | |
| C021 Manage maintenance | MA.2.112 | Provide controls on the tools, techniques, mechanisms and personnel used to conduct system maintenance. | N/A | MA-2, MA-3, MA-3(1), MA-3(2) | MNT-04 | ||
| C021 Manage maintenance | MA.2.113 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. | N/A | MA-4 | MNT-05 | ||
| C027 Protect federal contract information during personnel actions | PS.2.128 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | N/A | PS-3, PS-4, PS-5 | HRS-08, HRS-09 | ||
| C031 Identify and evaluate risk | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of CUI. | N/A | RA-3 | RSK-04 | ||
| C038 Define security requirements for systems and communications | SC.3.177 | Use encrypted sessions for the management of network devices. | N/A | CRY-03 | |||
| C038 Define security requirements for systems and communications | SC.2.179 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | N/A | SC-13 | CRY-001 | ||
| C038 Define security requirements for systems and communications | SC.3.180 | Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems. | N/A | SC-7, SA-8 | SEA-01 | ||
| C038 Define security requirements for systems and communications | SC.3.181 | Separate user functionality from system management functionality. | N/A | SC-2 | SEA-03.2 | ||
| C038 Define security requirements for systems and communications | SC.3.185 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | N/A | SC-8, SC-8(1) | CRY-01.1 | ||
| C038 Define security requirements for systems and communications | SC.3.186 | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. | N/A | SC-10 | NET-07 | ||
| C038 Define security requirements for systems and communications | SC.3.187 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | N/A | SC-12 | CRY-08 | ||
| C038 Define security requirements for systems and communications | SC.3.190 | Protect the authenticity of communications sessions. | N/A | SC-23 | NET-09 | ||
| C038 Define security requirements for systems and communications | SC.4.197 | Employ physical and logical isolation techniques in the system and security architecture and/or and where deemed appropriate by the organization. | N/A | N/A | NET-03 | ||
| C038 Define security requirements for systems and communications | SC.5.198 | Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizational-defined boundaries. | N/A | N/A | SC-7(8) | MON-01.9 | |
| C038 Define security requirements for systems and communications | SC.5.230 | Enforce port and protocol compliance. | N/A | N/A | CM-2, CM-6, CM-7, SA-4(9), SA-8, SC-7(17) | CFG-02 | |
| C039 Control communications at system boundaries | SC.1.175 | Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. | SC-7, SA-8 | NET-03 | |||
| C039 Control communications at system boundaries | SC.1.176 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | SC-7 | NET-06 | |||
| C039 Control communications at system boundaries | SC.5.208 | Employ organizationally-defined and tailored boundary protections in addition to commercially-available solutions. | N/A | N/A | SC-7, SC-7(9), SC-7(11) | NET-02 | |
| C039 Control communications at system boundaries | SI.2.214 | Monitor system security alerts and advisories and take action in response. | N/A | SI-2, SI-3, SI-5 | MON-01.8 | ||
| C039 Control communications at system boundaries | SI.4.221 | Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting. | N/A | N/A | SI-5, SI-5(1) | MON-11.3 | |
| C042 Perform network and system monitoring | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | N/A | AU-2, AU-2, AU-6, SI-4, SI-4(4) | MON-01.3 |
This table is used under the Creative Commons Attribution license from CMMC Center of Awesomeness (CMMC-COA) © 2021
Create your private hosted Certificate Authority in less than five minutes
Sign up