Skip to content

CMMC's Technical Security Controls

 

Explore the Technical Security Controls under CMMC, CUI encryption requirements, MFA, monitoring requirements, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What is the FIPS 140-2 / 140-3 validated encryption requirement under CMMC Level 2? 

 

Summary: CMMC Level 2 requires that any cryptographic module used to protect CUI must be validated under the Federal Information Processing Standard (FIPS) 140-2 or its successor FIPS 140-3, as required by NIST SP 800-171 Rev 2 control 3.13.10, a standard that requires third-party testing and NIST certification, not vendor self-declaration. 

FIPS 140 validation requires testing by an accredited Cryptographic Module Testing Laboratory (CMTL) and listing on the NIST Cryptographic Module Validation Program (CMVP) database. Common tools such as BitLocker (when properly configured) and Microsoft’s Windows CNG cryptographic module, along with cloud services operating under FedRAMP authorizations that include validated cryptographic modules, generally meet this requirement. 

Contractors must verify FIPS validation by checking the NIST CMVP database for the specific module and version in use. FIPS 140-validated cryptography is consistently among the top three most-failed controls in DIBCAC assessments, largely because organizations deploy encryption without verifying the FIPS validation status of the underlying cryptographic module.

 

What are the CUI encryption requirements at rest and in transit under CMMC Level 2? 

 

Summary: CMMC Level 2 imposes distinct encryption obligations depending on the state of CUI: CUI in transit must be encrypted using FIPS 140-validated mechanisms whenever transmitted across networks (NIST SP 800-171 Rev 2 control 3.13.8), and CUI at rest on mobile devices and mobile computing platforms must be encrypted using FIPS 140-validated modules (control 3.13.16). 

In transit: Any CUI transmitted over networks, including internal networks, external networks, the internet, or via email, must be protected using FIPS 140-validated encryption such as TLS 1.2 or TLS 1.3 with validated cipher suites. Unencrypted transmission of CUI over any network is a direct control failure. 

At rest on mobile devices: CUI stored on laptops, tablets, smartphones, or removable media must be encrypted with FIPS 140-validated modules. While NIST SP 800-171 Rev 2 does not include a blanket at-rest encryption requirement for fixed systems, encrypting CUI on all storage, servers, desktops, cloud storage, is a strongly recommended implementation practice and may be required by specific CUI category handling requirements. Contractors should document their encryption implementation, including the specific validated module, version, and CMVP certificate number, in their System Security Plan (SSP). 

 

Does CMMC Level 2 require multi-factor authentication (MFA), and where does it apply? 

 

Summary: CMMC Level 2 requires multi-factor authentication for local access to privileged accounts, for network access to privileged accounts, and for network access to non-privileged accounts, as specified in NIST SP 800-171 Rev 2 control 3.5.3. 

MFA means using two or more different authentication factors, something you know (password), something you have (hardware token, authenticator app, smart card), or something you are (biometric). A password plus a security question does not satisfy MFA because both factors are “something you know.” MFA must be enforced on all administrator and privileged accounts for any access method, and on all standard user accounts that access organizational systems over a network including VPN, remote desktop, and web application access. 

Cloud services, VPNs, email platforms, engineering applications, and any other system handling CUI must enforce MFA for all access. MFA is one of the most commonly found gaps during CMMC Level 2 assessments, often because organizations have deployed MFA on some systems but exempted certain accounts or access methods. All MFA configurations must be documented in the SSP. 

 

What are the least privilege and need-to-know access control requirements under CMMC? 

 

CMMC Level 2 requires contractors to implement the principles of least privilege and need-to-know throughout their information systems under NIST SP 800-171 Rev 2 controls 3.1.5 (least privilege) and 3.1.3 (CUI flow control), ensuring users and processes have only the minimum access necessary to perform their assigned functions. 

Least privilege means user accounts, service accounts, and system processes are granted only the permissions required for their specific role. Administrative accounts should be used only for administrative functions and should be separate from regular user accounts. Privileged access must be audited and reviewed periodically. 

Need-to-know means access to CUI is further restricted within authorized users to only those who have a specific operational need for that particular information. Contractors must maintain role-based access control (RBAC) policies, document access authorization decisions, and conduct periodic access reviews to remove permissions that are no longer needed. These requirements must be reflected in the System Security Plan (SSP) and supported by access control logs as evidence. 

 

What are the audit logging and system monitoring requirements under CMMC Level 2? 

 

Summary: CMMC Level 2 requires contractors to create and retain audit logs sufficient to enable the detection, investigation, and reporting of unauthorized system activity, as specified across the Audit and Accountability (AU) domain’s 9 requirements in NIST SP 800-171 Rev 2. 

Audit logs must capture user login and logout events, privileged account activity, system and application changes, access to CUI, failed access attempts, and system security-relevant events. Logs must be retained for a period defined in organizational policy, typically 90 days immediately available and one year archived. Log integrity must be protected; logs must not be alterable or allowed to be deleted by standard users. Audit logging must be enabled across all in-scope systems, endpoints, servers, network devices, cloud services, and VPNs. 

Audit failures must trigger automated alerts. Logs must be reviewed regularly for indicators of compromise or unauthorized activity, and the review process must be documented. Security Information and Event Management (SIEM) systems are a common implementation approach for organizations with complex environments. 

 

What does continuous monitoring require under CMMC Level 2? 

 

Summary: Continuous monitoring under CMMC Level 2 is the ongoing practice of maintaining visibility into the security posture of information systems handling CUI, detecting changes that could introduce vulnerabilities, and ensuring security controls remain effective between formal assessment cycles, as required by NIST SP 800-171 Rev 2 Security Assessment (CA) domain control 3.12.3 and System and Information Integrity (SI) domain controls 3.14.1 through 3.14.7. 

In practice, continuous monitoring encompasses several concurrent activities: regular vulnerability scanning of in-scope systems (at minimum quarterly and after significant system changes); real-time monitoring of audit logs for anomalous activity; malware scanning on all in-scope endpoints; patch status tracking to ensure timely remediation of identified vulnerabilities; monitoring of configuration changes against established baselines; and tracking of user access changes. 

Continuous monitoring is distinct from annual assessments, it is an ongoing operational capability, not a periodic event. Organizations must define their continuous monitoring strategy in their System Security Plan (SSP) and demonstrate evidence of its execution during C3PAO assessments. The absence of a documented and executed continuous monitoring program is a common finding during CMMC Level 2 assessments. 

 

What are the configuration management and baseline requirements under CMMC Level 2? 

 

Summary: CMMC Level 2 requires contractors to establish, document, and enforce security configuration baselines for all in-scope information systems and to control changes through a formal change management process, as required by the Configuration Management (CM) domain’s 9 controls in NIST SP 800-171 Rev 2. 

A security configuration baseline is a documented, approved set of security settings for a system or device type representing the minimum acceptable security posture. Baselines must be established for all system types, workstations, servers, network devices, mobile devices, and cloud environments. Hardening standards such as the Center for Internet Security (CIS) Benchmarks or DISA Security Technical Implementation Guides (STIGs) are commonly used as foundations. 

Any deviation from an established baseline must be documented, reviewed, and approved. All software installed on in-scope systems must be authorized, unauthorized software must be prevented or detected and removed. Changes to systems must go through a documented change control process that includes security impact analysis before implementation. Configuration baselines and change records must be maintained as evidence for assessment.

 

What are the vulnerability management and patch management requirements under CMMC Level 2? 

 

Summary: CMMC Level 2 requires contractors to identify, prioritize, and remediate vulnerabilities in their information systems in a timely manner, driven by risk, under NIST SP 800-171 Rev 2 Risk Assessment (RA) domain control 3.11.2 (vulnerability scanning) and System and Information Integrity (SI) domain control 3.14.1 (flaw remediation). 

Vulnerability management requires conducting regular vulnerability scans, at minimum quarterly and immediately after significant changes, using authenticated scanning tools that identify software vulnerabilities, misconfigurations, and missing patches across all in-scope systems. Scan results must be analyzed and vulnerabilities prioritized based on severity using CVSS scores, exploitability, and exposure. 

Patch management requires deploying security patches within defined timelines based on risk: critical patches (CVSS 9.0–10.0) typically within 72 hours to 14 days; high patches within 30 days; medium and low within 90 days. These timelines must be defined in organizational policy. Patch status must be tracked, and exceptions must be documented with compensating controls. Unpatched vulnerabilities in in-scope systems are among the most common findings in CMMC Level 2 assessments, particularly on legacy systems that contractors have not prioritized for maintenance. 

 

What are the media protection requirements for CUI under CMMC? 

 

Summary: CMMC Level 2 requires contractors to protect, control, and properly sanitize or destroy all digital and physical media containing CUI throughout its lifecycle, under the Media Protection (MP) domain’s 9 controls in NIST SP 800-171 Rev 2. 

Digital media includes hard drives, SSDs, USB flash drives, optical discs, backup tapes, and any removable storage device. Physical media includes printed documents, photographs, and other hard-copy materials. Key obligations include: restricting access to CUI-containing media to authorized users; marking all media with CUI designations; encrypting portable digital media using FIPS 140-validated cryptography; defining which removable media types are permitted and enforcing authorization; and sanitizing or destroying media before disposal or reuse using NIST SP 800-88 compliant methods (overwriting, degaussing, or physical destruction). 

Organizations that do not maintain an inventory of portable media containing CUI and cannot demonstrate proper disposal procedures consistently fail this domain. Media in transit must also be protected using physical safeguards or cryptographic protection. 

 

What are the system and communications protection requirements under CMMC Level 2? 

 

Summary: CMMC Level 2 requires contractors to monitor, control, and protect the communications and data flows within and between information systems handling CUI, and to enforce architectural boundaries that separate CUI from less sensitive environments, under the System and Communications Protection (SC) domain’s 16 controls in NIST SP 800-171 Rev 2. 

Core requirements include: implementing network boundary protections that separate in-scope CUI systems from external networks and from non-CUI organizational systems; enforcing a deny-all, permit-by-exception policy for network traffic; prohibiting split tunneling on VPN connections so remote users cannot simultaneously access both the organizational network and the public internet; encrypting all CUI in transit using FIPS 140-validated mechanisms; implementing session termination after inactivity; and employing network segmentation to isolate CUI environments. 

Organizations that route CUI across networks without encryption, that permit split tunneling, or that have not implemented network segmentation between CUI and non-CUI environments frequently fail multiple SC controls during assessments. 

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties