// Verbatim reference for all 320 NIST 800-171A Rev 2 assessment objectives, plus the Rev 2 → Rev 3 control crosswalk. Use for AO-level lookups (e.g., 3.1.1[c]), evidence planning, and forward-mapping to Rev 3. Pairs with cmmc-expert.
Build and deploy a production-ready Trust Center for any company. Use this skill whenever someone asks to create a trust center, compliance portal, security page, or wants to publish their SOC 2/SOC 3/ISO 27001/HIPAA/compliance posture publicly. Also triggers when someone mentions gated document access for audit reports, NDA-based document sharing, or wants to replace paid trust center tools like Secureframe, Vanta, Drata, or SafeBase. Even if they just say "I need a place to share my SOC 2 with customers" — that's a trust center. Use this skill.
NIST Cybersecurity Framework v2.0 expert. Reference-depth knowledge of the six Functions (Govern, Identify, Protect, Detect, Respond, Recover), Categories and Subcategories, Profiles (Current vs Target), Tiers, Implementation Examples, and the practitioner workflow of using CSF as a board-readable cybersecurity outcomes language. Backed by the SCF crosswalk for control-by-control mechanics.
CMMC v2.0 expert for DoD contractors. Covers NIST 800-171 Rev 2 (14 families, 110 controls), SPRS scoring, POA&M rules, 32 CFR Part 170, DFARS clauses, scoping, ESP/CSP, C3PAO assessment lifecycle, and Rev 2 → Rev 3 transition.
Interpret testssl-inspector normalized findings, recommend remediations, and tie evidence back to SCF anchor controls plus SOC 2 / NIST 800-53 r5 / PCI DSS 4.0.1 / ISO 27002:2022 equivalents derived from SCF crosswalks.
Scaffolds a complete React/Vite website project from site-config.json. Generates components, styles, and configuration based on the site type and plan data.
Sets up GitHub Actions CI/CD workflow for automatic deployment to AWS on push to main. Uses GitHub OIDC for keyless AWS authentication.
| name | cmmc-assessment-objectives |
| description | Verbatim reference for all 320 NIST 800-171A Rev 2 assessment objectives, plus the Rev 2 → Rev 3 control crosswalk. Use for AO-level lookups (e.g., 3.1.1[c]), evidence planning, and forward-mapping to Rev 3. Pairs with cmmc-expert. |
| allowed-tools | Read, Glob, Grep, Write |
The scoreable layer underneath every CMMC Level 2 assessment. Where cmmc-expert describes the CMMC program, this skill captures the 320 specific objectives an assessor is actually scoring against, plus the structural Rev 2 → Rev 3 mapping.
| Question | Skill |
|---|---|
| What does CMMC require, who needs L1 vs L2, how does SPRS scoring work, what's POA&M-eligible? | cmmc-expert |
| What does an assessor look for at the objective level for 3.1.1? What does 3.13.11[a] actually say? | this skill |
| Where does Rev 2 3.5.7 land in Rev 3? Which Rev 2 controls were withdrawn? | this skill |
| What FedRAMP level does a CSP need for CUI? | cmmc-expert |
| What does FIPS-validated cryptography mean in Rev 3 vs. Rev 2? | this skill (note in 3.13.11 crosswalk row) |
Lookup patterns:
## 3.X) → find the practice number.[a], [b], [c]... — these are the scoreable units.Layer 1 — Assessment objectives (Rev 2):
Layer 2 — Rev 2 → Rev 3 crosswalk:
Critical constants for Rev 2:
Chapter.Family.Requirement[Objective] — e.g., 3.1.1[a] = AC, requirement 1, objective a.| Family | Rev 2 Controls | Rev 2 Assessment Objectives |
|---|---|---|
| 3.1 Access Control (AC) | 22 | 70 |
| 3.2 Awareness & Training (AT) | 3 | 9 |
| 3.3 Audit & Accountability (AU) | 9 | 29 |
| 3.4 Configuration Management (CM) | 9 | 44 |
| 3.5 Identification & Authentication (IA) | 11 | 25 |
| 3.6 Incident Response (IR) | 3 | 14 |
| 3.7 Maintenance (MA) | 6 | 10 |
| 3.8 Media Protection (MP) | 9 | 15 |
| 3.9 Personnel Security (PS) | 2 | 4 |
| 3.10 Physical Protection (PE) | 6 | 16 |
| 3.11 Risk Assessment (RA) | 3 | 9 |
| 3.12 Security Assessment (CA) | 4 | 14 |
| 3.13 System & Comms Protection (SC) | 16 | 41 |
| 3.14 System & Info Integrity (SI) | 7 | 20 |
| TOTAL | 110 | 320 |
Three methods — not four. "Determine" is the verb each objective opens with, not a separate method.
| Method | What it means | Depth attributes |
|---|---|---|
| EXAMINE | Reviewing, inspecting, observing, studying, or analyzing assessment objects (specifications, mechanisms, activities). | Basic / Focused / Comprehensive |
| INTERVIEW | Discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. | Basic / Focused / Comprehensive |
| TEST | Exercising assessment objects under specified conditions to compare actual with expected behavior. | Basic (black box) / Focused (gray box) / Comprehensive (white box) |
Each lettered sub-item ([a], [b], ...) is one scoreable assessment objective. For each, the assessor will (per NIST 800-171A):
Practice-level rollup: all AOs within a practice must be Satisfied for the practice to be MET in a C3PAO assessment.
Text below is verbatim from NIST SP 800-171A. Each lettered sub-item is one scoreable assessment objective.
3.1.1 — Limit system access to authorized users, processes acting on behalf of authorized users, and devices.
3.1.2 — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.3 — Control the flow of CUI in accordance with approved authorizations.
3.1.4 — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
3.1.5 — Employ the principle of least privilege, including for specific security functions and privileged accounts.
3.1.6 — Use non-privileged accounts or roles when accessing nonsecurity functions.
3.1.7 — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
3.1.8 — Limit unsuccessful logon attempts.
3.1.9 — Provide privacy and security notices consistent with applicable CUI rules.
3.1.10 — Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
3.1.11 — Terminate (automatically) a user session after a defined condition.
3.1.12 — Monitor and control remote access sessions.
3.1.13 — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
3.1.14 — Route remote access via managed access control points.
3.1.15 — Authorize remote execution of privileged commands and remote access to security-relevant information.
3.1.16 — Authorize wireless access prior to allowing such connections.
3.1.17 — Protect wireless access using authentication and encryption.
3.1.18 — Control connection of mobile devices.
3.1.19 — Encrypt CUI on mobile devices and mobile computing platforms.
3.1.20 — Verify and control/limit connections to and use of external systems.
3.1.21 — Limit use of portable storage devices on external systems.
3.1.22 — Control CUI posted or processed on publicly accessible systems.
3.2.1 — Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities.
3.2.2 — Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
3.2.3 — Provide security awareness training on recognizing and reporting potential indicators of insider threat.
3.3.1 — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
3.3.2 — Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
3.3.3 — Review and update logged events.
3.3.4 — Alert in the event of an audit logging process failure.
3.3.5 — Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
3.3.6 — Provide audit record reduction and report generation to support on-demand analysis and reporting.
3.3.7 — Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
3.3.8 — Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
3.3.9 — Limit management of audit logging functionality to a subset of privileged users.
3.4.1 — Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles.
3.4.2 — Establish and enforce security configuration settings for information technology products employed in organizational systems.
3.4.3 — Track, review, approve or disapprove, and log changes to organizational systems.
3.4.4 — Analyze the security impact of changes prior to implementation.
3.4.5 — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
3.4.6 — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
3.4.7 — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
3.4.8 — Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
3.4.9 — Control and monitor user-installed software.
3.5.1 — Identify system users, processes acting on behalf of users, and devices.
3.5.2 — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
3.5.3 — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
3.5.4 — Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
3.5.5 — Prevent reuse of identifiers for a defined period.
3.5.6 — Disable identifiers after a defined period of inactivity.
3.5.7 — Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8 — Prohibit password reuse for a specified number of generations.
3.5.9 — Allow temporary password use for system logons with an immediate change to a permanent password.
3.5.10 — Store and transmit only cryptographically-protected passwords.
3.5.11 — Obscure feedback of authentication information.
3.6.1 — Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 — Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
3.6.3 — Test the organizational incident response capability.
3.7.1 — Perform maintenance on organizational systems.
3.7.2 — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
3.7.3 — Ensure equipment removed for off-site maintenance is sanitized of any CUI.
3.7.4 — Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
3.7.5 — Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
3.7.6 — Supervise the maintenance activities of maintenance personnel without required access authorization.
3.8.1 — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
3.8.2 — Limit access to CUI on system media to authorized users.
3.8.3 — Sanitize or destroy system media containing CUI before disposal or release for reuse.
3.8.4 — Mark media with necessary CUI markings and distribution limitations.
3.8.5 — Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
3.8.6 — Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
3.8.7 — Control the use of removable media on system components.
3.8.8 — Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.9 — Protect the confidentiality of backup CUI at storage locations.
3.9.1 — Screen individuals prior to authorizing access to organizational systems containing CUI.
3.9.2 — Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
3.10.1 — Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
3.10.2 — Protect and monitor the physical facility and support infrastructure for organizational systems.
3.10.3 — Escort visitors and monitor visitor activity.
3.10.4 — Maintain audit logs of physical access.
3.10.5 — Control and manage physical access devices.
3.10.6 — Enforce safeguarding measures for CUI at alternate work sites.
3.11.1 — Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
3.11.2 — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
3.11.3 — Remediate vulnerabilities in accordance with risk assessments.
3.12.1 — Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
3.12.2 — Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
3.12.3 — Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.12.4 — Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
3.13.1 — Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems.
3.13.2 — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
3.13.3 — Separate user functionality from system management functionality.
3.13.4 — Prevent unauthorized and unintended information transfer via shared system resources.
3.13.5 — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
3.13.6 — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
3.13.7 — Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
3.13.8 — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
3.13.9 — Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
3.13.10 — Establish and manage cryptographic keys for cryptography employed in organizational systems.
3.13.11 — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
3.13.12 — Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
3.13.13 — Control and monitor the use of mobile code.
3.13.14 — Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
3.13.15 — Protect the authenticity of communications sessions.
3.13.16 — Protect the confidentiality of CUI at rest.
3.14.1 — Identify, report, and correct system flaws in a timely manner.
3.14.2 — Provide protection from malicious code at designated locations within organizational systems.
3.14.3 — Monitor system security alerts and advisories and take action in response.
3.14.4 — Update malicious code protection mechanisms when new releases are available.
3.14.5 — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
3.14.6 — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
3.14.7 — Identify unauthorized use of organizational systems.
CMMC 2.0 is Rev 2 only. Rev 3 (Final, May 2024) is the forward horizon. DoD has not adopted Rev 3 for CMMC. Use this section for transition planning and to understand Rev 3 finding language — not as a substitute for Rev 2 assessment evidence.
Verification status: ✅ PDF-verified | 🔵 Training-knowledge (high confidence; verify against the Rev 3 PDF for deliverables)
| Metric | Rev 2 | Rev 3 |
|---|---|---|
| Control families | 14 | 17 (adds PL, SA, SR) |
| Total requirements | 110 | ~97 (net — many consolidations) |
| Numbering | 3.X.Y | 03.X.Y (leading zeros) |
| Basic / Derived distinction | Yes | Eliminated |
| ODPs (Organization-Defined Parameters) | None | Introduced |
| Family rename | Security Assessment (CA) | "Security Assessment and Monitoring" |
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.1.1 | Limit system access to authorized users/processes/devices | 03.01.01 | Account Management | Massively expanded — 8 parts (a–h) covering full account lifecycle |
| 3.1.2 | Limit access to permitted transactions/functions | 03.01.02 | Access Enforcement | Similar scope, refined |
| 3.1.3 | Control flow of CUI | 03.01.03 | Information Flow Enforcement | Similar scope |
| 3.1.4 | Separate duties | 03.01.04 | Separation of Duties | Slightly narrowed |
| 3.1.5 | Least privilege | 03.01.05 | Least Privilege | Split — privilege rules moved to 03.01.06/07 |
| 3.1.6 | Non-privileged accounts for non-security functions | 03.01.06 | Least Privilege – Privileged Accounts | Carved out from Rev 2 3.1.5 |
| 3.1.7 | Prevent non-privileged execution of privileged functions | 03.01.07 | Least Privilege – Privileged Functions | Carved out |
| 3.1.8 | Limit unsuccessful logon attempts | 03.01.08 | Unsuccessful Logon Attempts | Added ODPs for count and time; selection for response |
| 3.1.9 | Privacy/security notices | 03.01.09 | System Use Notification | Similar |
| 3.1.10 | Session lock | 03.01.10 | Device Lock | Added ODP for inactivity period |
| 3.1.11 | Terminate user session after defined condition | 03.01.11 | Session Termination | Added ODP for triggers |
| 3.1.12 | Monitor and control remote access | 03.01.12 | Remote Access | Consolidated with 3.1.14 and 3.1.15 |
| 3.1.13 | Crypto for remote access confidentiality | 03.01.13 | WITHDRAWN | Addressed by 03.13.08 |
| 3.1.14 | Route remote access via managed access points | 03.01.14 | WITHDRAWN | Into 03.01.12 |
| 3.1.15 | Authorize remote execution of privileged commands | 03.01.15 | WITHDRAWN | Into 03.01.12 |
| 3.1.16 | Authorize wireless access | 03.01.16 | Wireless Access | Consolidated with 3.1.17 |
| 3.1.17 | Protect wireless via authn/encryption | 03.01.17 | WITHDRAWN | Into 03.01.16 |
| 3.1.18 | Control connection of mobile devices | 03.01.18 | Access Control for Mobile Devices | Consolidated with 3.1.19 |
| 3.1.19 | Encrypt CUI on mobile devices | 03.01.19 | WITHDRAWN | Into 03.01.18 |
| 3.1.20 | Verify/control external system connections | 03.01.20 | Use of External Systems | Consolidated with 3.1.21; ODP added |
| 3.1.21 | Limit portable storage on external systems | 03.01.21 | WITHDRAWN | Into 03.01.20 |
| 3.1.22 | Control CUI on publicly accessible systems | 03.01.22 | Publicly Accessible Content | Streamlined |
AC summary: 22 Rev 2 → 13 active Rev 3 (+ 9 withdrawn slots).
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.2.1 | Make users aware of security risks | 03.02.01 | Literacy Training and Awareness | Incorporates 3.2.3; ODPs for frequency/triggers; adds social-engineering topics |
| 3.2.2 | Train personnel for assigned security duties | 03.02.02 | Role-Based Training | Similar; ODPs for frequency/triggers |
| 3.2.3 | Insider threat awareness training | 03.02.03 | WITHDRAWN | Into 03.02.01 |
AT summary: 3 Rev 2 → 2 active Rev 3 (+ 1 withdrawn).
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.3.1 | Create and retain audit logs | 03.03.01 + 03.03.03 | Split | Event types/review → 03.03.01; record generation/retention → 03.03.03 |
| 3.3.2 | Trace actions to individual users | 03.03.02 | Audit Record Content | Expanded — 6 required content elements |
| 3.3.3 | Review and update logged events | 03.03.01 | Merged | Into 03.03.01 |
| 3.3.4 | Alert on audit logging process failure | 03.03.04 | Response to Audit Logging Process Failures | ODPs for time period and additional response actions |
| 3.3.5 | Correlate audit record review/analysis | 03.03.05 | Audit Record Review, Analysis, and Reporting | ODP for review frequency |
| 3.3.6 | Record reduction and report generation | 03.03.06 | Audit Record Reduction and Report Generation | Adds requirement to preserve original content and time ordering |
| 3.3.7 | Synchronize internal clocks with authoritative source | 03.03.07 | Time Stamps | Scope changed — focus on UTC-based format and granularity; explicit NTP-sync requirement softened |
| 3.3.8 | Protect audit information and tools | 03.03.08 | Protection of Audit Information | Consolidated with 3.3.9 |
| 3.3.9 | Limit management of audit logging to privileged users | 03.03.09 | WITHDRAWN | Into 03.03.08 |
AU summary: 9 Rev 2 → 8 active Rev 3 (+ 1 withdrawn). Practitioner note on 3.3.7: Rev 3 no longer requires explicit NTP sync with an authoritative source — but for CMMC purposes (Rev 2), NTP sync is still required.
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.4.1 | Baseline configurations and inventories | 03.04.01 | Baseline Configuration | Simplified — inventory handled separately |
| 3.4.2 | Establish/enforce security configuration settings | 03.04.02 | Configuration Settings | ODP added for settings |
| 3.4.3 | Track/review/approve/log changes | 03.04.03 | Configuration Change Control | Incorporates 3.4.4 (security impact analysis) |
| 3.4.4 | Analyze security impact of changes | 03.04.03 | Merged | Into 03.04.03 |
| 3.4.5 | Physical/logical access restrictions for changes | 03.04.04 | Access Restrictions for Change | Streamlined |
| 3.4.6 | Least functionality | 03.04.05 | Least Functionality | ODP for essential capabilities |
| 3.4.7 | Restrict nonessential programs/functions/ports/protocols/services | 03.04.06 | Nonessential Programs, Functions, Ports, Protocols, and Services | 15 Rev 2 sub-objectives collapsed into a single ODP-driven control |
| 3.4.8 | Deny-by-exception or allow-by-exception software policy | 03.04.07 | Authorized Software | Reframed; ODP for allowed/denied software |
| 3.4.9 | Control and monitor user-installed software | 03.04.08 | User-Installed Software | Retained |
CM summary: 9 Rev 2 → 8 active Rev 3.
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.5.1 | Identify users/processes/devices | 03.05.01 | Identification | Similar |
| 3.5.2 | Authenticate identities | 03.05.02 | Authenticator Management | Expanded — full authenticator lifecycle |
| 3.5.3 | MFA for privileged/non-privileged accounts | 03.05.03 | Multi-Factor Authentication | Incorporates 3.5.4; ODP for when MFA is required |
| 3.5.4 | Replay-resistant authentication mechanisms | 03.05.04 | WITHDRAWN | Into 03.05.03 |
| 3.5.5 | Prevent reuse of identifiers | 03.05.05 | Identifier Management | Incorporates 3.5.6 |
| 3.5.6 | Disable identifiers after inactivity | 03.05.06 | WITHDRAWN | Into 03.05.05 |
| 3.5.7 | Password complexity / change of characters | 03.05.07 | Password Management | Consolidates 3.5.7 through 3.5.11 |
| 3.5.8 | Prohibit password reuse | 03.05.08 | WITHDRAWN | Into 03.05.07 |
| 3.5.9 | Temporary password with immediate change | 03.05.09 | WITHDRAWN | Into 03.05.07 |
| 3.5.10 | Cryptographically-protected passwords | 03.05.10 | WITHDRAWN | Into 03.05.07 |
| 3.5.11 | Obscure feedback of authentication info | 03.05.11 | WITHDRAWN | Into 03.05.07 |
IA summary: 11 Rev 2 → 5 active Rev 3 (+ 6 withdrawn). Biggest family consolidation in Rev 3.
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.6.1 | Operational incident-handling capability | 03.06.01 | Incident Handling | IR phases retained |
| 3.6.2 | Track, document, report incidents | 03.06.02 | Incident Monitoring, Reporting, Response Planning | Adds formal IR plan requirement |
| 3.6.3 | Test incident response capability | 03.06.03 | Incident Response Testing | ODP for testing frequency |
IR summary: 3 → 3, no withdrawals.
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.7.1 | Perform maintenance | 03.07.01 | Controlled Maintenance | Incorporates 3.7.2 |
| 3.7.2 | Controls on maintenance tools/techniques/personnel | 03.07.02 | WITHDRAWN | Into 03.07.01 |
| 3.7.3 | Sanitize off-site maintenance equipment | 03.07.02 | Maintenance Tools | Renumbered; sanitization retained |
| 3.7.4 | Check diagnostic/test media for malicious code | 03.07.03 | (Nonlocal Maintenance / Media Check) | ODP added |
| 3.7.5 | MFA for nonlocal maintenance via external connections | 03.07.04 | Nonlocal Maintenance | MFA retained; ODP for authentication mechanisms |
| 3.7.6 | Supervise unauthorized maintenance personnel | 03.07.05 | Maintenance Personnel | Similar |
MA summary: 6 → 5 active (+ 1 withdrawn).
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.8.1 | Protect media containing CUI | 03.08.01 | Media Protection | Incorporates 3.8.2 |
| 3.8.2 | Limit access to CUI on media | 03.08.02 | WITHDRAWN | Into 03.08.01 |
| 3.8.3 | Sanitize/destroy media before disposal/reuse | 03.08.02 | Media Sanitization | Renumbered; ODP for sanitization methods |
| 3.8.4 | Mark media with CUI markings and distribution limits | 03.08.03 | Media Marking | Similar |
| 3.8.5 | Control access to media and accountability during transport | 03.08.04 | Media Transport | ODP for protection during transport |
| 3.8.6 | Crypto for CUI on digital media during transport | 03.08.05 | WITHDRAWN | Addressed by 03.13.08 |
| 3.8.7 | Control use of removable media | 03.08.05 | Media Use | Renumbered; ODP for restrictions |
| 3.8.8 | Prohibit portable storage without identifiable owner | 03.08.06 | WITHDRAWN | Into 03.08.05 |
| 3.8.9 | Protect confidentiality of backup CUI | 03.08.06 | Media Downgrading | Reframed |
MP summary: 9 → 6 active (+ 3 withdrawn). Key change: transport-encryption requirement moves to SC family (03.13.08).
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.9.1 | Screen individuals before authorizing access | 03.09.01 | Personnel Screening | ODP for screening criteria |
| 3.9.2 | Protect systems during/after personnel actions | 03.09.02 | Personnel Termination and Transfer | Explicit about both termination and transfer |
PS summary: 2 → 2, no withdrawals.
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.10.1 | Limit physical access to authorized individuals | 03.10.01 | Physical Access Authorizations | Authorization process now explicit |
| 3.10.2 | Protect and monitor physical facility/infrastructure | 03.10.02 | Physical Access Control | Monitoring split into separate concern |
| 3.10.3 | Escort visitors / monitor activity | 03.10.03 | Visitor Control | ODP for visitor log retention |
| 3.10.4 | Maintain audit logs of physical access | 03.10.04 | (Within broader physical access controls — verify) | Reorganized |
| 3.10.5 | Control and manage physical access devices | 03.10.05 | Physical Access Devices | ODP for inventory frequency |
| 3.10.6 | Safeguarding measures for CUI at alternate work sites | 03.10.06 | Alternate Work Sites | Adds compromise detection requirement |
PE summary: 6 → 6, no withdrawals (reorganized within family).
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.11.1 | Periodically assess risk | 03.11.01 | Risk Assessment | ODP for frequency; documents results |
| 3.11.2 | Scan for vulnerabilities | 03.11.02 | Vulnerability Monitoring and Scanning | Expanded; ODPs for scan frequency, tools, techniques; remediation tracking added |
| 3.11.3 | Remediate vulnerabilities | 03.11.03 | Vulnerability Remediation | ODP for remediation timeframes by severity |
RA summary: 3 → 3, no withdrawals.
(Renamed from "Security Assessment" in Rev 2.)
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.12.1 | Assess effectiveness of security controls | 03.12.01 | Security Assessments | ODP for frequency; more explicit scope |
| 3.12.2 | POA&M development and implementation | 03.12.02 | Plan of Action and Milestones | ODP for POA&M update frequency |
| 3.12.3 | Monitor security controls on ongoing basis | 03.12.03 | Continuous Monitoring | Expanded — monitoring strategy/program/frequency now explicit |
| 3.12.4 | SSP development, documentation, periodic update | Moved | → 03.15.02 (Planning family) | SSP requirement relocated to new PL family |
CA summary: 4 → 3 active in the CA family; SSP requirement migrated to the new PL family.
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.13.1 | Monitor/control/protect communications at boundaries | 03.13.01 | Boundary Protection | ODP for external/key internal boundaries |
| 3.13.2 | Architectural designs, software dev techniques, systems eng | 03.13.02 | Security Engineering Principles | Similar |
| 3.13.3 | Separate user and system management functionality | 03.13.03 | Security Function Isolation | Similar |
| 3.13.4 | Prevent unauthorized info transfer via shared resources | 03.13.04 | (Reframed) | May be combined/reframed in Rev 3 |
| 3.13.5 | Subnetworks for publicly accessible components | 03.13.05 | Boundary Protection – Publicly Accessible Systems | Similar |
| 3.13.6 | Deny network communications by default | 03.13.06 | Deny by Default | Similar |
| 3.13.7 | Prevent split tunneling | 03.13.07 | Boundary Protection – Split Tunneling | Similar |
| 3.13.8 | Crypto to prevent unauthorized disclosure during transmission | 03.13.08 | Cryptographic Protection | Consolidation target — 3.1.13 and 3.8.6 point here |
| 3.13.9 | Terminate network connections after inactivity | 03.13.09 | Network Disconnect | ODP for inactivity period |
| 3.13.10 | Establish/manage cryptographic keys | 03.13.10 | Cryptographic Key Management | Similar |
| 3.13.11 | Employ FIPS-validated cryptography for CUI | 03.13.11 | Cryptographic Protection – FIPS | Changed — Rev 3 uses ODP "organization-defined types of cryptography." For CMMC purposes, FIPS 140-2/140-3 validation is still the operational expectation. Do not advise clients that Rev 3 weakens this. |
| 3.13.12 | Prohibit remote activation of collaborative computing devices | 03.13.12 | Collaborative Computing Devices and Applications | ODP for authorized exceptions |
| 3.13.13 | Control and monitor mobile code | 03.13.13 | Mobile Code | ODP for mobile code technologies |
| 3.13.14 | Control and monitor VoIP | 03.13.14 | Voice Over IP Technologies | ODP for VoIP technologies |
| 3.13.15 | Protect authenticity of communications sessions | 03.13.15 | Communications Authenticity | Similar |
| 3.13.16 | Protect confidentiality of CUI at rest | 03.13.16 | CUI at Rest | ODP for types of cryptography |
SC summary: 16 → 16, no withdrawals.
| Rev 2 | Rev 2 title | Rev 3 | Status | Notes |
|---|---|---|---|---|
| 3.14.1 | Identify, report, correct system flaws | 03.14.01 | Flaw Remediation | ODP for remediation timeframes by severity |
| 3.14.2 | Malicious code protection at designated locations | 03.14.02 | Malicious Code Protection | ODP for mechanisms and locations |
| 3.14.3 | Monitor security alerts/advisories and take action | 03.14.03 | Security Alerts, Advisories, and Directives | Requires internal dissemination |
| 3.14.4 | Update malicious code protection on new releases | 03.14.04 | WITHDRAWN | Into 03.14.02 |
| 3.14.5 | Periodic and real-time scans | 03.14.04 | Malicious Code Protection – Scans | Renumbered |
| 3.14.6 | Monitor inbound/outbound traffic for attacks | 03.14.05 | System Monitoring | Expanded; ODP for monitoring activities |
| 3.14.7 | Identify unauthorized use of systems | 03.14.06 | System Monitoring – Unauthorized Use | Possibly incorporated into 03.14.05 |
SI summary: 7 → 6 active (+ 1 withdrawn).
Picks up planning requirements that were implicit or in other Rev 2 families.
| Rev 3 | Title | Origin |
|---|---|---|
| 03.15.01 | Policy and Procedures | New — formerly NFO (XX-1 type) controls that were excluded from Rev 2 |
| 03.15.02 | System Security Plan | From Rev 2 3.12.4 — relocated from CA family |
| 03.15.03 | Rules of Behavior | New — system use rules for users |
| 03.15.04 | (Additional planning requirements) | New additions from 800-53B moderate baseline |
Practitioner note: SSP migration from 3.12.4 → 03.15.02 means Rev 3 assessors will look at the SSP as a planning artifact, not a security assessment artifact. SSP content requirements are retained and expanded.
Requirements for secure acquisition of systems, components, and services.
| Rev 3 | Title | Notes |
|---|---|---|
| 03.16.01 | Security Engineering Principles for Development | Software/system development security |
| 03.16.02 | Unsupported System Components | EOL/unsupported software management |
| 03.16.03 | External System Services | Contracts/agreements with cloud/MSP providers — related to Rev 2 3.1.20 |
| 03.16.04 | (Additional SA requirements) | Acquisition documentation, security requirements in contracts |
Practitioner note: 03.16.03 is particularly relevant for clients using cloud providers — it requires verifying that service providers implement required controls. Formalizes what was implied in Rev 2 3.1.20.
| Rev 3 | Title | Notes |
|---|---|---|
| 03.17.01 | Supply Chain Risk Management Plan | Develop and maintain SCRM plan |
| 03.17.02 | Acquisition Strategies, Tools, and Methods | Address supply chain risks during acquisition |
| 03.17.03 | Supplier Reviews | Assess suppliers/vendors providing system components |
Practitioner note: Entirely new for nonfederal contractors. CMMC 2.0 (Rev 2-based) has no SR family. When/if CMMC adopts Rev 3, SCRM becomes a new assessment domain — notable for clients with complex vendor ecosystems.
| Rev 2 Control | Disposition in Rev 3 |
|---|---|
| 3.1.13 | 03.01.13 WITHDRAWN — addressed by 03.13.08 |
| 3.1.14 | 03.01.14 WITHDRAWN — into 03.01.12 |
| 3.1.15 | 03.01.15 WITHDRAWN — into 03.01.12 |
| 3.1.17 | 03.01.17 WITHDRAWN — into 03.01.16 |
| 3.1.19 | 03.01.19 WITHDRAWN — into 03.01.18 |
| 3.1.21 | 03.01.21 WITHDRAWN — into 03.01.20 |
| 3.2.3 | 03.02.03 WITHDRAWN — into 03.02.01 |
| 3.3.3 | Merged into 03.03.01 (no "withdrawn" slot) |
| 3.3.9 | 03.03.09 WITHDRAWN — into 03.03.08 |
| 3.4.4 | Merged into 03.04.03 (no "withdrawn" slot) |
| 3.5.4 | 03.05.04 WITHDRAWN — into 03.05.03 |
| 3.5.6 | 03.05.06 WITHDRAWN — into 03.05.05 |
| 3.5.8 | 03.05.08 WITHDRAWN — into 03.05.07 |
| 3.5.9 | 03.05.09 WITHDRAWN — into 03.05.07 |
| 3.5.10 | 03.05.10 WITHDRAWN — into 03.05.07 |
| 3.5.11 | 03.05.11 WITHDRAWN — into 03.05.07 |
| 3.7.2 | 03.07.02 WITHDRAWN — into 03.07.01 |
| 3.8.2 | 03.08.02 WITHDRAWN — into 03.08.01 |
| 3.8.6 | 03.08.06 WITHDRAWN — addressed by 03.13.08 |
| 3.8.8 | 03.08.08 WITHDRAWN — into 03.08.07 |
| 3.12.4 | Relocated to 03.15.02 (PL family) |
| 3.14.4 | 03.14.04 WITHDRAWN — into 03.14.02 |
Rev 3 introduces ODPs — values that the organization (or contracting federal agency) must define. Once defined, they become assessable scope. Common categories:
Pre-adoption planning for clients:
If the contracting agency specifies ODP values via contract or policy, those govern. Otherwise the contractor defines its own.
As of 2026-05-17:
Forward planning:
When a Rev 3 finding references a specific control, map back to Rev 2 to understand CMMC impact:
| If Rev 3 finds an issue with... | Check Rev 2 controls... |
|---|---|
| 03.01.01 Account Management | 3.1.1, 3.1.2 |
| 03.01.12 Remote Access | 3.1.12, 3.1.14, 3.1.15 |
| 03.01.16 Wireless Access | 3.1.16, 3.1.17 |
| 03.01.18 Mobile Device AC | 3.1.18, 3.1.19 |
| 03.01.20 External Systems | 3.1.20, 3.1.21 |
| 03.02.01 Literacy Training | 3.2.1, 3.2.3 |
| 03.03.01 Event Logging | 3.3.1 (partial), 3.3.3 |
| 03.03.08 Audit Protection | 3.3.8, 3.3.9 |
| 03.05.03 MFA | 3.5.3, 3.5.4 |
| 03.05.07 Password Management | 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11 |
| 03.13.08 Cryptographic Protection | 3.1.13, 3.8.6, 3.13.8 |
| 03.15.02 System Security Plan | 3.12.4 |
Some clients have implemented Rev 3-style controls and believe they're covered. Rev 2 has specific requirements that Rev 3 softened with ODPs — for current CMMC assessments, the Rev 2 language governs:
Controls with 5+ assessment objectives drive the bulk of assessment effort and evidence burden:
| Control | Objectives | Key evidence focus |
|---|---|---|
| 3.4.7 | 15 | Port/protocol/service documentation (most objectives of any control) |
| 3.13.1 | 8 | Network boundary definition + monitoring/control/protection |
| 3.4.5 | 8 | Change control access restrictions (physical AND logical) |
| 3.12.4 | 8 | SSP completeness (boundary, environment, connections, update freq) |
| 3.6.1 | 7 | IRP covering all IR phases |
| 3.6.2 | 6 | Incident reporting chain (internal + external) |
| 3.1.1 | 6 | User/device/process inventory + access restrictions |
| 3.1.20 | 6 | External system agreements + connection controls |
| 3.3.1 | 6 | Audit log configuration + retention policy |
| 3.3.8 | 6 | Log protection controls |
| 3.4.1 | 6 | Baseline config + asset inventory |
| 3.13.2 | 6 | Secure architecture documentation |
| 3.14.1 | 6 | Flaw ID/report/correct with defined timeframes |
| 3.1.3 | 5 | Data flow diagrams + flow enforcement |
| 3.1.22 | 5 | Public web content review process |
When clients have partial implementations, these objectives are typically split across a POA&M (some Satisfied, some Other Than Satisfied — assuming the practice is POA&M-eligible per cmmc-expert §11):
[a]–[f] Satisfied (programs/functions); [g]–[o] (ports/protocols/services) on POA&M.[a]–[d] Satisfied (log creation/content); [e]–[f] (retention) on POA&M.[b]–[c] Satisfied (MFA on privileged); [d] (network MFA for non-privileged) on POA&M.[a]–[c] Satisfied (SSP exists); [d]–[h] (specific elements) on POA&M.[a]–[b] Satisfied (types defined); [c]–[d] (active monitoring) on POA&M.For POA&M eligibility rules, point weights, and the 180-day window, see cmmc-expert §10–§11.
Primary locations: dodcio.defense.gov/CMMC/, cyber.mil, cyberab.org, sprs.csd.disa.mil.
This skill supports:
3.1.1[c], 3.13.11[a])For program-level CMMC topics — SPRS scoring, POA&M rules, scoping, ESP/CSP, C3PAO lifecycle, annual affirmation, False Claims Act risk — use the cmmc-expert skill instead.