CMMC -NIST 800-171 Update Control Record Control ID Select Control ID AC.L1-3.1.1 | Level 1 | Limit system access to authorized users, processes acting on behalf of users, and devices (including identification and enforcement) AC.L1-3.1.2 | Level 1 | Limit system access to the types of transactions and functions authorized users are permitted to execute AC.L1-3.1.20 | Level 1 | Control and verify use of external systems AC.L1-3.1.22 | Level 1 | Control posting of information on publicly accessible systems AT.L1-3.2.1 | Level 1 | Ensure that managers, systems administrators, and users are made aware of security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems AU.L1-3.3.1 | Level 1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity CM.L1-3.4.1 | Level 1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles IA.L1-3.5.1 | Level 1 | Identify users, processes, and devices IA.L1-3.5.2 | Level 1 | Authenticate users, processes, and devices IR.L1-3.6.1 | Level 1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities MP.L1-3.8.1 | Level 1 | Physically control and securely store media MP.L1-3.8.2 | Level 1 | Limit access to CUI on media MP.L1-3.8.3 | Level 1 | Sanitize or destroy media before disposal/reuse PE.L1-3.10.1 | Level 1 | Limit physical access to authorized individuals PE.L1-3.10.3 | Level 1 | Escort and monitor visitors PE.L1-3.10.4 | Level 1 | Maintain physical access logs PE.L1-3.10.5 | Level 1 | Control physical access devices SC.L1-3.13.1 | Level 1 | Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems SC.L1-3.13.5 | Level 1 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks SI.L1-3.14.1 | Level 1 | Identify, report, and correct system flaws SI.L1-3.14.2 | Level 1 | Provide malicious code protection SI.L1-3.14.4 | Level 1 | Update malicious code protection mechanisms when new releases are available SI.L1-3.14.5 | Level 1 | Perform malware scans AC.L2-3.1.10 | Level 2 | Implement session lock after defined inactivity AC.L2-3.1.11 | Level 2 | Terminate sessions after defined conditions AC.L2-3.1.12 | Level 2 | Control and monitor remote access sessions AC.L2-3.1.13 | Level 2 | Protect remote access using cryptography AC.L2-3.1.14 | Level 2 | Route remote access through managed access control points AC.L2-3.1.15 | Level 2 | Authorize remote execution of privileged commands and access to sensitive data AC.L2-3.1.16 | Level 2 | Authorize wireless access AC.L2-3.1.17 | Level 2 | Protect wireless access using authentication and encryption AC.L2-3.1.18 | Level 2 | Control and monitor mobile device connections AC.L2-3.1.19 | Level 2 | Encrypt CUI on mobile devices AC.L2-3.1.21 | Level 2 | Control use of portable storage devices containing CUI AC.L2-3.1.3 | Level 2 | Control CUI information flow including policies, enforcement, and authorized sources/destinations AC.L2-3.1.4 | Level 2 | Enforce separation of duties among individuals AC.L2-3.1.5 | Level 2 | Employ least privilege for privileged accounts and security functions AC.L2-3.1.6 | Level 2 | Use non-privileged accounts for non-security functions AC.L2-3.1.7 | Level 2 | Prevent non-privileged users from executing privileged functions and log execution AC.L2-3.1.8 | Level 2 | Limit unsuccessful logon attempts AC.L2-3.1.9 | Level 2 | Display privacy and security notices IA.L2-3.5.10 | Level 2 | Encrypt passwords in storage and transit IA.L2-3.5.11 | Level 2 | Obscure authentication information IA.L2-3.5.3 | Level 2 | Use MFA for privileged and network access IA.L2-3.5.4 | Level 2 | Use replay-resistant authentication IA.L2-3.5.5 | Level 2 | Prevent reuse of identifiers IA.L2-3.5.6 | Level 2 | Disable inactive accounts IA.L2-3.5.7 | Level 2 | Enforce password complexity IA.L2-3.5.8 | Level 2 | Prevent password reuse IA.L2-3.5.9 | Level 2 | Force password change from temporary passwords MP.L2-3.8.4 | Level 2 | Mark media containing CUI MP.L2-3.8.5 | Level 2 | Control and track media transport MP.L2-3.8.6 | Level 2 | Protect media in transit MP.L2-3.8.7 | Level 2 | Control use of removable media MP.L2-3.8.8 | Level 2 | Prohibit unidentified portable storage use MP.L2-3.8.9 | Level 2 | Protect backup media PE.L2-3.10.2 | Level 2 | Protect and monitor facilities PE.L2-3.10.6 | Level 2 | Secure alternate work sites SI.L2-3.14.3 | Level 2 | Respond to security alerts SI.L2-3.14.6 | Level 2 | Monitor system and network for attacks SI.L2-3.14.7 | Level 2 | Detect unauthorized system use Status Implemented Partially Implemented Not Implemented Planned In Progress Complete Implementation Task 1 — Unique User Identification (IA.L1-3.5.1) 1. Go to: Entra ID → Users 2. Verify: • Each user has a unique account • No shared accounts exist 3. Disable any shared/generic accounts 📸 Evidence: • User list screenshot • Disabled accounts (if applicable) 🔹 Task 2 — Enforce Authentication (IA.L1-3.5.2) 1. Go to: Entra ID → Security → Authentication Methods 2. Enable: • Microsoft Authenticator • SMS (optional backup) 3. Go to: Conditional Access 4. Confirm MFA policy is enforced (from AC task) Alternate location: 👉 Conditional Access (Recommended / Modern) Go to: 👉 https://entra.microsoft.com Entra ID → Security → Conditional Access → Policies Look for a policy like: • Require MFA • Require MFA and Compliant Device • Or whatever you named it 📸 Evidence: • MFA settings • Policy enforcement Validation Method Findings Recommendations Comments Responsible Person Select Responsible Person Byran Pham Olivia Cruz-Martinez Barbara Lanza Margie Collins Bitrix Task No. Deadline Update Record Back to Control Hub
