1. Assessment Phase

  • CMMC 2.0 Level 2 Compliance Assessment Execution
20 Credits

CMMC 2.0 Level 2 Compliance Report

Overview

This report performs a technical assessment of your AWS environment against the CMMC 2.0 Level 2 compliance standard. CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 2 focuses on Advanced cybersecurity practices for organizations that handle Controlled Unclassified Information (CUI). It aligns closely with NIST SP 800-171 and introduces more stringent controls than Level 1 to ensure enhanced protection of sensitive data.

This assessment evaluates your environment based on the following grouped controls:

Access Control (AC)

  • AC.L1-3.1.1 – Authorized Access Control
  • AC.L1-3.1.2 – Transaction & Function Control
  • AC.L1-3.1.20 – External Connections
  • AC.L2-3.1.3 – Control CUI Flow
  • AC.L2-3.1.4 – Separation of Duties
  • AC.L2-3.1.5 – Least Privilege
  • AC.L2-3.1.6 – Non-Privileged Account Use
  • AC.L2-3.1.7 – Privileged Functions
  • AC.L2-3.1.12 – Control Remote Access
  • AC.L2-3.1.13 – Remote Access Confidentiality

Audit and Accountability (AU)

  • AU.L2-3.3.1 – System Auditing
  • AU.L2-3.3.2 – User Accountability
  • AU.L2-3.3.4 – Audit Failure Alerting
  • AU.L2-3.3.5 – Audit Correlation
  • AU.L2-3.3.8 – Audit Protection

Security Assessment (CA)

  • CA.L2-3.12.2 – Operational Plan of Action
  • CA.L2-3.12.3 – Security Control Monitoring

Configuration Management (CM)

  • CM.L2-3.4.1 – System Baselining
  • CM.L2-3.4.2 – Security Configuration Enforcement
  • CM.L2-3.4.3 – System Change Management
  • CM.L2-3.4.6 – Least Functionality
  • CM.L2-3.4.7 – Nonessential Functionality
  • CM.L2-3.4.9 – User-Installed Software

Identification and Authentication (IA)

  • IA.L1-3.5.1 – Identification
  • IA.L1-3.5.2 – Authentication
  • IA.L2-3.5.3 – Multifactor Authentication
  • IA.L2-3.5.6 – Identifier Handling
  • IA.L2-3.5.7 – Password Complexity
  • IA.L2-3.5.8 – Password Reuse
  • IA.L2-3.5.10 – Cryptographically-Protected Passwords

Incident Response (IR)

  • IR.L2-3.6.1 – Incident Handling

Maintenance (MA)

  • MA.L2-3.7.5 – Nonlocal Maintenance

Risk Assessment (RA)

  • RA.L2-3.11.2 – Vulnerability Scan

System and Communications Protection (SC)

  • SC.L1-3.13.1 – Boundary Protection
  • SC.L2-3.13.2 – Security Engineering
  • SC.L2-3.13.4 – Shared Resource Control
  • SC.L2-3.13.8 – Data in Transit
  • SC.L2-3.13.10 – Key Management
  • SC.L2-3.13.15 – Communications Authenticity
  • SC.L2-3.13.16 – Data at Rest

System and Information Integrity (SI)

  • SI.L1-3.14.1 – Flaw Remediation
  • SI.L1-3.14.2 – Malicious Code Protection
  • SI.L1-3.14.5 – System & File Scanning
  • SI.L2-3.14.3 – Security Alerts & Advisories
  • SI.L2-3.14.6 – Monitor Communications for Attacks
  • SI.L2-3.14.7 – Identify Unauthorized Use

The assessment covers many AWS services, including IAM, EC2, CloudTrail, KMS, and Security Hub.

Upon completion, you will receive a detailed report identifying all passed and failed resources, along with actionable remediation steps to help you achieve compliance with the CMMC 2.0 Level 2 technical recommendations.