Crafting an Effective Vulnerability Management Strategy: A Guide for CISOs
Cybersecurity is a never-ending game of cat and mouse, with organizations perpetually hunting down vulnerabilities before bad actors can exploit ...
Read More Below, find a detailed overview of how Portnox CLEAR cloud-delivered NAC-as-a-Service aligns with the current CMMC compliance standards across its three primary levels. To learn more about how Portnox's NAC solutions assist with compliance enforcement, click here.
CMMC Level | Domain | Control No. | Practice | Practice Description | Portnox Value |
---|---|---|---|---|---|
1 | Physical Protection | 9 | PE.1.132 | Escort visitors and monitor visitor activity | N/A |
1 | System & Information Integrity | 17 | SI.1.213 | Perform periodic scans of the IS and real time scans of files from external sources as downloaded, opened or executed | N/A |
1 | System & Information Integrity | 16 | SI.1.212 | Update malware protection software when available | N/A |
1 | System & Information Integrity | 15 | SI.1.211 | Provide protection from malware where appropriate | Meets |
1 | System & Information Integrity | 14 | SI.1.210 | Identify, report, and correct IS flaws in a timely manner | Meets |
1 | System & Comm Protection | 13 | SC.1.176 | Implement subnetworks for public systems | Meets |
1 | System & Comm Protection | 12 | SC.1.175 | Monitor, control & protect information transmitted or received by IS at perimeter and key internal boundaries | Contributes |
1 | Physical Protection | 11 | PE.1.134 | Control and manage physical access devices | Meets |
1 | Physical Protection | 10 | PE.1.133 | Maintain audit logs of physical access | N/A |
1 | Access Control | 1 | AC.1.001 | Limit IS access to authorized users, processes, and devices | Meets |
1 | Physical Protection | 8 | PE.1.131 | Limit access to authorized individuals | N/A |
1 | Media Protection | 7 | MP.1.118 | Sanitize or destroy media containing Federal Contract (or PII or sensitive data) before dispoal | N/A |
1 | ID & Authenticate | 6 | IA.1.077 | Authenticate/verify the ID of those users/processes/devices before giving access | Meets |
1 | ID & Authenticate | 5 | IA.1.076 | Identify users, processes, and devices | Meets |
1 | Access Control | 4 | AC.1.004 | Control information posted or processed on public IS | N/A |
1 | Access Control | 3 | AC.1.003 | Verify & Control connections to and use of external IS | Contributes |
1 | Access Control | 2 | AC.1.002 | Limit IS access to types of transactions & functions that are required for authorized users | Meets |
CMMC Level | Domain | Control No. | Practice | Practice Description | Portnox Value |
---|---|---|---|---|---|
2 | ID & Authenticate | 31 | IA.2.080 | Allow Temp PWD for login with immediate change to permanent password | N/A |
2 | Media Protection | 43 | IA.1.077 | Authenticate/verify the ID of those users/processes/devices before giving access | N/A |
2 | Incident Response | 42 | MA.2.114 | Supervise maintenance personnel who don't have authorization | N/A |
2 | Incident Response | 40 | MA.2.112 | Controls on maintenance | N/A |
2 | Incident Response | 39 | MA.2.111 | Maintenance on organizational systems | N/A |
2 | Incident Response | 38 | IR.2.097 | Root Cause Analysis on incidents | N/A |
2 | Incident Response | 36 | IR.2.094 | Analyze & Triage events for resolution & declaration | N/A |
2 | ID & Authenticate | 33 | IA.2.082 | Obscure Feedback of authentication information | N/A |
2 | ID & Authenticate | 32 | IA.2.081 | Store and transmit only encrypted passwords | N/A |
2 | Media Protection | 44 | MP.2.119 | Physically control and securely store media (digital or paper) containing CUI or other sensitive data | N/A |
2 | ID & Authenticate | 30 | IA.2.079 | Prohibit Password reuse for a specified number of generations | N/A |
2 | ID & Authenticate | 29 | IA.2.078 | Min password complexity and change of char | N/A |
2 | Configuration Management | 24 | CM.2.064 | Security Config Settings for IT products | N/A |
2 | Configuration Management | 22 | CM.2.062 | Principle of least functionality -config to only do what's needed | N/A |
2 | Awareness & Training | 20 | AT.2.057 | Train users in assigned IS related duties/responsibilities | N/A |
2 | Awareness & Training | 19 | AT.2.056 | Educate mgrs, admins, users of security risks and policies | N/A |
2 | Audit & Accountability | 18 | AU.2.044 | Review Audit Logs | N/A |
2 | Recovery | 55 | RE.2.138 | Protect confidentiality of backup CUI where stored | N/A |
2 | System & Information Integrity | 69 | SI.1.210 | Identify, report, and correct IS flaws in a timely manner | N/A |
2 | System & Information Integrity | 68 | SI.1.212 | Update malware protection software when available | N/A |
2 | System & Comm Protection | 65 | SC.2.179 | Encrypt management sessions to devices | N/A |
2 | System & Comm Protection | 64 | SC.2.178 | Prohibit remote activation of devices and notify of use | N/A |
2 | Security Assessment | 61 | CA.2.159 | Implement plans to correct deficiencies & vulnerabilities | N/A |
2 | Security Assessment | 60 | CA.2.158 | Periodically assess scurity controls | N/A |
2 | Security Assessment | 59 | CA.2.157 | Documentation of security plans | N/A |
2 | Risk Management | 57 | RM.2.142 | Vulnerability Scan | N/A |
2 | Audit & Accountability | 17 | AU.2.043 | Synchronize system clocks with authoritative source for time stamps | N/A |
2 | Recovery | 54 | RE.2.137 | Regularly perform and test backups | N/A |
2 | Physical Protection | 53 | PE.2.135 | Protect/Monitor Physical Facility | N/A |
2 | Physical Protection | 51 | PE1.133 | Maintain audit logs of physical access | N/A |
2 | Physical Protection | 50 | PE.1.132 | Escort visitors and monitor visitor activity | N/A |
2 | Physical Protection | 49 | MP.1.118 | Sanitize or destroy media containing Federal Contract (or PII or sensitive data) before dispoal | N/A |
2 | Personnel Security | 48 | PS.2.128 | Protect CUI/SD during terminations/transfers | N/A |
2 | Personnel Security | 47 | PS.2.127 | Screen personnel | N/A |
2 | System & Comm Protection | 63 | 0 | 0 | Meets |
2 | Audit & Accountability | 15 | AU.2.041 | Users must be uniquely identified and tracked for accountability | Meets |
2 | Access Control | 14 | AC.2.016 | Control Flow of CUI in accordance with approved auth. | Meets |
2 | Access Control | 13 | AC.2.015 | Remote Access only through managed access control points | Meets |
2 | Access Control | 12 | AC.2.013 | Monitor and control remote access sessions | Meets |
2 | Access Control | 11 | AC.2.011 | Authorized Wireless Access | Meets |
2 | Access Control | 10 | AC.2.010 | Inactivity Session Lockout | Meets |
2 | Access Control | 6 | AC.2.006 | Limit Use of portable storage devices on ext systems | Meets |
2 | Access Control | 5 | AC.2.005 | Privacy & Security notices consistent with applicable CUI Rules | Meets |
2 | Audit & Accountability | 16 | AU.2.042 | System Audit logs and records | Meets |
2 | System & Comm Protection | 62 | PE.1.134 | Control and manage physical access devices | Meets |
2 | Risk Management | 58 | RM.2.143 | Remediate vulnerabilites from scan and assessment | Meets |
2 | Risk Management | 56 | RM.2.141 | Periodic risk assessment around systems and handling of CUI/SD | Meets |
2 | Media Protection | 46 | MP.2.121 | Control use of removable media | Meets |
2 | Media Protection | 45 | MP.2.120 | Limit access to CUI/sensitive data on systems to authorized users | Meets |
2 | Incident Response | 41 | MA.2.113 | MFA for remote connections and terminate upon completion | Meets |
2 | Incident Response | 37 | IR.2.096 | Pre-defined esponses to declared incidetns | Meets |
2 | System & Information Integrity | 66 | SC.1.176 | Implement subnetworks for public systems | Meets |
2 | Access Control | 9 | AC.2.009 | Limit unsuccessful logon attempts | N/A |
2 | Access Control | 8 | AC.2.008 | Use non-priv accounts when doing non-priv functions | N/A |
2 | Access Control | 7 | AC.2.007 | Principle of Least Privilege | N/A |
2 | System & Information Integrity | 71 | SI.2.216 | Monitor systems and traffic to detect attack patterns | Contributes |
2 | System & Information Integrity | 70 | SI.2.214 | Monitor security alerts and take action | Contributes |
2 | Configuration Management | 21 | CM.2.061 | Baseline configs and inventory | Contributes |
2 | System & Information Integrity | 72 | SI.2.217 | Identify Unauthorized use of organizational systems | Meets |
2 | System & Information Integrity | 67 | SI.1.211 | Provide protection from malware where appropriate | Meets |
2 | Incident Response | 35 | IR.2.093 | Detect and report events | Meets |
2 | Physical Protection | 52 | PE.1.131 | Limit access to authorized individuals | Meets |
2 | Incident Response | 34 | IR.2.092 | Operational Incident Handling capability | Meets |
2 | ID & Authenticate | 28 | IA.1.077 | Authenticate/verify the IS of those users/processes/devices before giving access | Meets |
2 | ID & Authenticate | 27 | AC.1.004 | Control information posted or processed on public IS | Meets |
2 | Configuration Management | 26 | CM.2.066 | Analyze security impact of changes prior to implementation | Meets |
2 | Configuration Management | 25 | CM.2.065 | Track, review, approve/disapprove, and log changes to systems | Meets |
2 | Configuration Management | 23 | CM.2.063 | Control and Monitor User Installed Software | Meets |
CMMC Level | Domain | Control No. | Practice | Practice Description | Portnox Value |
---|---|---|---|---|---|
3 | Access Control | 1 | AC.1.001 | Limit IS access to authorized users, processes, and devices | Meets |
3 | Access Control | 2 | AC.1.002 | Limit IS access to types of transactions & functions that are required for authorized users | Meets |
3 | Access Control | 5 | AC.2.005 | Privacy & Security notices consistent with applicable CUI Rules | Meets |
3 | Access Control | 6 | AC.2.006 | Limit Use of portable storage devices on ext systems | Meets |
3 | Access Control | 10 | AC.2.010 | Inactivity Session Lockout | Meets |
3 | Access Control | 11 | AC.2.011 | Authorized Wireless Access | Meets |
3 | Access Control | 12 | AC.3.012 | Protect Wireless with Authentication & Encryption | Meets |
3 | Access Control | 13 | AC.2.013 | Monitor and control remote access sessions | Meets |
3 | Access Control | 15 | AC.2.015 | Remote Access only through managed access control points | Meets |
3 | Access Control | 18 | AC.3.018 | Prevent admin functions from normal users, log admin activity | Meets |
3 | Access Control | 20 | AC.3.020 | Control Connection of mobile devices | Meets |
3 | Access Control | 22 | AC.3.022 | Encrypt CUI/SD on mobile devices & laptops | Meets |
3 | Audit & Accountability | 24 | AU.2.041 | Users must be uniquely identified and tracked for accountability | Meets |
3 | Audit & Accountability | 25 | AU.2.042 | System Audit logs and records | Meets |
3 | Configuration Management | 44 | CM.3.068 | Restrict/disable/prevent use of nonessential functions | Meets |
3 | Configuration Management | 45 | CM.3.069 | Blacklist policy to prevent unauthorized software, or whitelist approved software | Meets |
3 | Incident Response | 57 | IR.2.092 | Operational Incident Handling capability | Meets |
3 | Incident Response | 58 | IR.2.093 | Detect and report events | Meets |
3 | Incident Response | 60 | IR.2.096 | Pre-defined esponses to declared incidetns | Meets |
3 | Risk Management | 89 | RM.2.141 | Periodic risk assessment around systems and handling of CUI/SD | Meets |
3 | Risk Management | 91 | RM.2.143 | Remediate vulnerabilites from scan and assessment | Meets |
3 | Risk Management | 92 | RM.3.144 | Periodic risk assessments overall risk | Meets |
3 | Risk Management | 93 | RM.3.146 | Risk Mitigation Plans | Meets |
3 | Configuration Management | 39 | CM.2.063 | Control and Monitor User Installed Software | Meets |
3 | Configuration Management | 41 | CM.2.065 | Track, review, approve/disapprove, and log changes to systems | Meets |
3 | ID & Authenticate | 46 | IA.1.076 | Identify users, processes, and devices | Meets |
3 | ID & Authenticate | 47 | IA.1.077 | Authenticate/verify the ID of those users/processes/devices before giving access | Meets |
3 | ID & Authenticate | 53 | IA.3.083 | MFA for local and nw access for admins and for nw access for users | Meets |
3 | ID & Authenticate | 54 | IA.3.084 | Replay resistant authentication for network access | Meets |
3 | ID & Authenticate | 55 | IA.3.085 | Prevent reuse of identifiers for a defined period | Meets |
3 | ID & Authenticate | 56 | IA.3.086 | Disable identifiers after a defined period of inactivity | Meets |
3 | Maintenance | 66 | MA.2.113 | MFA for remote connections and terminate upon completion | Meets |
3 | Media Protection | 72 | MP.2.120 | Limit access to CUI/sensitive data on systems to authorized users | Meets |
3 | Media Protection | 73 | MP.2.121 | Control use of removable media | Meets |
3 | Media Protection | 75 | MP.3.123 | Prohibit use of non approved/identified portable storage | Meets |
3 | Media Protection | 77 | MP.3.125 | Encrypt portable media during transport | Meets |
3 | Physical Protection | 83 | PE.1.134 | Control and manage physical access devices | Meets |
3 | System & Comm Protection | 101 | SC.1.175 | Monitor, control & protect information transmitted or received by IS at perimeter and key internal boundaries | Meets |
3 | System & Comm Protection | 102 | SC.1.176 | Implement subnetworks for public systems | Meets |
3 | System & Comm Protection | 108 | SC.3.183 | Network traffic - deny all, permit by exception | Meets |
3 | System & Information Integrity | 119 | SI.1.210 | Identify, report, and correct IS flaws in a timely manner | Meets |
3 | System & Information Integrity | 120 | SI.1.211 | Provide protection from malware where appropriate | Meets |
3 | System & Information Integrity | 125 | SI.2.217 | Identify Unauthorized use of organizational systems | Meets |
3 | Audit & Accountability | 29 | AU.3.048 | Collect audit logs into central repository | Contributes |
3 | Configuration Management | 37 | CM.2.061 | Baseline configs and inventory | Contributes |
3 | Recovery | 88 | RE.3.139 | Complete backups | Contributes |
3 | System & Comm Protection | 106 | SC.3.181 | Separate user functionality from admin functionality | Contributes |
3 | System & Comm Protection | 107 | SC.3.182 | Prevent unauthorized/unintended information transfer via shared system resources | Contributes |
3 | System & Information Integrity | 123 | SI.2.214 | Monitor security alerts and take action | Contributes |
3 | System & Information Integrity | 124 | SI.2.216 | Monitor systems and traffic to detect attack patterns | Contributes |
3 | Access Control | 3 | AC.1.003 | Verify & Control connections to and use of external IS | Contributes |
3 | Access Control | 4 | AC.1.004 | Control information posted or processed on public IS | N/A |
3 | Access Control | 7 | AC.2.007 | Principle of Least Privilege | N/A |
3 | Access Control | 8 | AC.2.008 | Use non-priv accounts when doing non-priv functions | N/A |
3 | Access Control | 9 | AC.2.009 | Limit unsuccessful logon attempts | N/A |
3 | Access Control | 14 | AC.3.014 | Encrypt Remote Access Sessions | N/A |
3 | Access Control | 16 | AC.2.016 | Control Flow of CUI in accordance with approved auth. | N/A |
3 | Access Control | 17 | AC.3.017 | Separate duties to reduce malevolent activity w/o collusion | N/A |
3 | Access Control | 19 | AC.3.019 | Terminate user sessions after defined conditon | N/A |
3 | Access Control | 21 | AC.3.021 | Authorize remote exec of admin cmds and remote access to security relevant information | N/A |
3 | Asset Management | 23 | AM.3.036 | Define procs for handling CUI data | N/A |
3 | Audit & Accountability | 26 | AU.2.043 | Synchronize system clocks with authoritative source for time stamps | N/A |
3 | Audit & Accountability | 27 | AU.2.044 | Review Audit Logs | N/A |
3 | Audit & Accountability | 28 | AU.3.045 | Review & update logged events | N/A |
3 | Audit & Accountability | 30 | AU.3.049 | Protect audit data from unauthorized access/mod/delete | N/A |
3 | Audit & Accountability | 31 | AU.3.050 | Limit mgmt of audit logging to limited privileged users | N/A |
3 | Audit & Accountability | 32 | AU.3.051 | Correlate data for investigation if indications of unauthorized activity | N/A |
3 | Audit & Accountability | 33 | AU.3.052 | Audit record reduction & report generation | N/A |
3 | Awareness & Training | 34 | AT.2.056 | Educate mgrs, admins, users of security risks and policies | N/A |
3 | Awareness & Training | 35 | AT.2.057 | Train users in assigned IS related duties/responsibilities | N/A |
3 | Awareness & Training | 36 | AT.3.058 | Security Awareness Training | N/A |
3 | Configuration Management | 38 | CM.2.062 | Principle of least functionality -config to only do what's needed | N/A |
3 | Configuration Management | 40 | CM.2.064 | Security Config Settings for IT products | N/A |
3 | Configuration Management | 42 | CM.2.066 | Analyze security impact of changes prior to implementation | N/A |
3 | Configuration Management | 43 | CM.3.067 | Define, doc, app, enf access restrictions based on system changes | N/A |
3 | ID & Authenticate | 48 | IA.2.078 | Min password complexity and change of char | N/A |
3 | ID & Authenticate | 49 | IA.2.079 | Prohibit Password reuse for a specified number of generations | N/A |
3 | ID & Authenticate | 50 | IA.2.080 | Allow Temp PWD for login with immediate change to permanent password | N/A |
3 | ID & Authenticate | 51 | IA.2.081 | Store and transmit only encrypted passwords | N/A |
3 | ID & Authenticate | 52 | IA.2.082 | Obscure Feedback of authentication information | N/A |
3 | Incident Response | 59 | IR.2.094 | Analyze & Triage events for resolution & declaration | N/A |
3 | Incident Response | 61 | IR.2.097 | Root Cause Analysis on incidents | N/A |
3 | Incident Response | 62 | IR.3.098 | Track, doc, report incidents internally and externally | N/A |
3 | Incident Response | 63 | IR.3.099 | Test operational incident response | N/A |
3 | Maintenance | 64 | MA.2.111 | Maintenance on organizational systems | N/A |
3 | Maintenance | 65 | MA.2.112 | Controls on maintenance | N/A |
3 | Maintenance | 67 | MA.2.114 | Supervise maintenance personnel who don't have authorization | N/A |
3 | Maintenance | 68 | MA.3.115 | Ensure equipment removed is wiped | N/A |
3 | Maintenance | 69 | MA.3.116 | Check diagnostic media for malicious code before use | N/A |
3 | Media Protection | 70 | MP.1.118 | Sanitize or destroy media containing Federal Contract (or PII or sensitive data) before dispoal | N/A |
3 | Media Protection | 71 | MP.2.119 | Physically control and securely store media (digital or paper) containing CUI or other sensitive data | N/A |
3 | Media Protection | 74 | MP.3.122 | Mark media including paper with CUI info | N/A |
3 | Media Protection | 76 | MP.3.124 | Control access to media and maintain accountability during transport outside of controlled area | N/A |
3 | Personnel Security | 78 | PS.2.127 | Screen personnel | N/A |
3 | Personnel Security | 79 | PS.2.128 | Protect CUI/SD during terminations/transfers | N/A |
3 | Physical Protection | 80 | PE.1.131 | Limit access to authorized individuals | N/A |
3 | Physical Protection | 81 | PE.1.132 | Escort visitors and monitor visitor activity | N/A |
3 | Physical Protection | 82 | PE.1.133 | Maintain audit logs of physical access | N/A |
3 | Physical Protection | 84 | PE.2.135 | Protect/Monitor Physical Facility | N/A |
3 | Physical Protection | 85 | PE.3.136 | Enforce CUI safeguards at alternate work sites | N/A |
3 | Recovery | 86 | RE.2.137 | Regularly perform and test backups | N/A |
3 | Recovery | 87 | RE.2.138 | Protect confidentiality of backup CUI where stored | N/A |
3 | Risk Management | 90 | RM.2.142 | Vulnerability Scan | N/A |
3 | Risk Management | 94 | RM.3.147 | Manage EOL products and restrict to reduce risk | N/A |
3 | Security Assessment | 95 | CA.2.157 | Documentation of security plans | N/A |
3 | Security Assessment | 96 | CA.2.158 | Periodically assess scurity controls | N/A |
3 | Security Assessment | 97 | CA.2.159 | Implement plans to correct deficiencies & vulnerabilities | N/A |
3 | Security Assessment | 98 | CA.3.161 | Monitor security controls | N/A |
3 | Security Assessment | 99 | CA.3.162 | If you have custom software, do a security assessment of it | N/A |
3 | Situational Awareness | 100 | SA.3.169 | Get cyber threat intelligence from sharing sites and forums and communicate to stakeholders | N/A |
3 | System & Comm Protection | 103 | SC.2.178 | Prohibit remote activation of devices and notify of use | N/A |
3 | System & Comm Protection | 104 | SC.2.179 | Encrypt management sessions to devices | N/A |
3 | System & Comm Protection | 105 | SC.3.180 | Arch Designs, Soft Dev & Sys Eng techniques that promote effective info security | N/A |
3 | System & Comm Protection | 109 | SC.3.184 | No split tunneling on remote connection | N/A |
3 | System & Comm Protection | 110 | SC.3.185 | Encrypt transmission of CUI/SD | N/A |
3 | System & Comm Protection | 111 | SC.3.186 | Terminate sessions after end or defined period of inactivity | N/A |
3 | System & Comm Protection | 112 | SC.3.187 | Manage Encryption Keys | N/A |
3 | System & Comm Protection | 113 | SC.3.188 | Control/monitor mobile code such as Java/ActiveX/etc | N/A |
3 | System & Comm Protection | 114 | SC.3.189 | Control/monitor VoIP | N/A |
3 | System & Comm Protection | 115 | SC.3.190 | Protect authenticity of comm sessions | N/A |
3 | System & Comm Protection | 116 | SC.3.191 | Encrypt CUI/SD where stored | N/A |
3 | System & Comm Protection | 117 | SC.3.192 | DNS filtering services | N/A |
3 | System & Comm Protection | 118 | SC.3.193 | Policy restricting CUI/SC on public sites (social media) | N/A |
3 | System & Information Integrity | 121 | SI.1.212 | Update malware protection software when available | N/A |
3 | System & Information Integrity | 122 | SI.1.213 | Perform periodic scans of the IS and real time scans of files from external sources as downloaded, opened or executed | N/A |
3 | System & Information Integrity | 126 | SI.3.218 | Spam protection | N/A |
3 | System & Information Integrity | 127 | SI.3.219 | Email forgery protections | N/A |
3 | System & Information Integrity | 128 | SI.3.220 | Sandbox to detect or block malicious email | N/A |