CMMC Level 2 requirements: all 110 NIST SP 800-171 controls

Limit system access to authorized users

Limit users to permitted transactions and functions

Control the flow of CUI

Separate duties to reduce malicious risk

Enforce least privilege for privileged accounts

Use non-privileged accounts for routine tasks

Prevent and log privileged function execution

Limit repeated unsuccessful logon attempts

Display privacy and security notices

Lock idle sessions with pattern-hiding displays

Terminate user sessions after defined conditions

Monitor and control remote access sessions

Encrypt remote access sessions with cryptographic mechanisms

Route remote access through managed control points

Authorize remote privileged commands and security access

Authorize wireless access before allowing connections

Protect wireless access with authentication and encryption

Control connections of mobile computing devices

Encrypt CUI on mobile devices and platforms

Verify and limit external system connections

Limit portable storage on external systems

Control CUI on publicly accessible systems

Make users aware of security risks

Train personnel to perform security duties

Provide insider threat awareness training

Create and retain system audit logs

Trace user actions to unique individuals

Review and update logged event types

Alert on audit logging process failures

Correlate audit review, analysis, and reporting

Provide audit reduction and report generation

Synchronize system clocks with authoritative source

Protect audit information and logging tools

Restrict audit management to privileged users

Establish and maintain baseline system configurations

Enforce security configuration settings for products

Track, review, approve, and log changes

Analyze security impact before implementing changes

Enforce access restrictions for system changes

Configure systems for essential capabilities only

Restrict nonessential programs, ports, and services

Apply software allowlisting or denylisting policies

Control and monitor user-installed software

Identify system users, processes, and devices

Authenticate users, processes, and devices before access

Use multifactor authentication for system access

Employ replay-resistant authentication for network access

Prevent identifier reuse for defined period

Disable identifiers after defined inactivity period

Enforce minimum password complexity and change

Prohibit password reuse for specified generations

Allow temporary passwords with immediate change

Store and transmit only cryptographically protected passwords

Obscure feedback of authentication information

Establish an operational incident-handling capability

Track, document, and report security incidents

Test the organizational incident response capability

Perform maintenance on organizational systems

Control maintenance tools, techniques, and personnel

Sanitize equipment removed for off-site maintenance

Check maintenance media for malicious code

Require multifactor authentication for nonlocal maintenance

Supervise maintenance personnel lacking access authorization

Protect system media containing CUI

Limit CUI media access to authorized users

Sanitize or destroy media before disposal

Mark media with required CUI markings

Control and account for transported media

Encrypt CUI on media during transport

Control removable media on system components

Prohibit portable storage without identifiable owner

Protect confidentiality of backup CUI

Screen individuals before authorizing system access

Protect CUI during personnel terminations and transfers

Limit physical access to authorized individuals

Protect and monitor facility support infrastructure

Escort visitors and monitor visitor activity

Maintain audit logs of physical access

Control and manage physical access devices

Enforce CUI safeguards at alternate worksites

Periodically assess risk to operations and individuals

Scan for system and application vulnerabilities

Remediate vulnerabilities according to risk assessments

Periodically assess security control effectiveness

Develop plans of action for deficiencies

Monitor security controls on ongoing basis

Develop and update system security plans

Monitor and protect communications at boundaries

Use secure architecture and engineering principles

Separate user functionality from system management

Prevent information transfer via shared resources

Implement subnetworks for publicly accessible components

Deny network traffic by default, allow by exception

Prevent split tunneling on remote devices

Encrypt CUI in transit unless otherwise protected

Terminate network connections when sessions end

Establish and manage cryptographic keys

Employ FIPS-validated cryptography to protect CUI

Prohibit remote activation of collaborative devices

Control and monitor use of mobile code

Control and monitor VoIP technologies

Protect authenticity of communications sessions

Protect confidentiality of CUI at rest

Identify, report, and correct system flaws

Provide malicious code protection at designated locations

Monitor security alerts and take action

Update malicious code protection mechanisms promptly

Perform periodic system and real-time file scans

Monitor systems and traffic for attacks

Identify unauthorized use of organizational systems