Certified CMMC Assessor Domain 4: CMMC Level 2 Practices Course

Syllabus

CMMC Level 2 assessment objectives

Video - 00:08:00

We dive into domain 4 with a discussion of the CMMC Level 2 Guide and CMMC Assessment Process (CAP) documentation.

Methods and objects for determining evidence

Video - 00:29:00

The first section of Domain 4 focuses on the methods and objects for determining evidence.

Adequacy and sufficiency related to evidence around all practices

Video - 00:02:00

Next in the journey through Domain 4 is a discussion of adequacy and sufficiency of the evidence.

Characteristics of acceptable evidence

Video - 00:05:00

How do you know what evidence is acceptable? We'll cover the characteristics that define acceptable evidence along with potential assessment methods and objects.

Collect and examine evidence

Video - 00:02:00

You will need to know how to collect and examine evidence, which we will cover in this video.

Evidence of persistent application of practices

Video - 00:01:00

An important part of the CCA is knowing how to determine evidence of enabling persistent and habitual application of practices, which will be covered in this section.

Evidence - policy

Video - 00:09:00

Many of the assessment objectives explicitly call for a policy or a procedure, which will be discussed in this section.

Evidence - procedure

Video - 00:04:00

A common type of evidence is a procedure, and procedures support policies by specifying limitation details, which is the focus of this video.

Evidence - plans and planning documents

Video - 00:01:00

In this video, we detail how evidence may include plans and planning documents.

Evidence - resourcing

Video - 00:05:00

We continue the discussion of evidence with a section on resourcing, which typically includes funding, people, and tools.

Evidence - communication

Video - 00:01:00

Communications are an important part of evidence, and may include emails, user guides, phone call logs, instruction manuals, and anything else designed to communicate requirements for status to staff and people.

Evidence - training

Video - 00:02:00

Training should cover various topics to include business practices, the recognition of Federal contract information and controlled unclassified information, and evidence that security procedures are accurately conducted.

Characterization of evidence

Video - 00:02:00

In this video, we will focus on characterization of evidence, which includes the appropriate use of assessment methods and objectives.

CMMC Level 2 Assessment Practice Objectives Workshop

Video - 00:05:00

There are 93 CMMC level II security practices and 261 assessment objectives that support the 93 security objectives, and in this session we'll begin to look at what they are and how to use them.

Workshop example assessment objectives

Video - 00:29:00

We begin discussing level 2 practices, starting with those under the authorized access control (AC) objectives.

Identifying assessment objectives and creating implementation statements example

Video - 00:10:00

In this video, we discuss identifying assessment objectives and creating implementation statements for practices.

Control CUI flow

Video - 00:04:00

Moving to the next CMMC practice, this video discusses control CUI flow.

Separation of duties

Video - 00:20:00

Separation of duties, AC.L2-3.1.4, is the practice that we will discuss in this section.

Multi-factor authentication

Video - 00:30:00

We now move to a discussion of IA.L2-3.5.3, multifactor authentication.

Least privilege

Video - 00:05:00

In this segment you'll learn about AC.L2-3.1.5, least privilege.

Non-privileged account use

Video - 00:11:00

Continuing our journey through the access control level 2 practices, we'll cover AC.L2-3.1.6, non-privileged account use.

Privileged functions

Video - 00:02:00

The level 2 practice that we will cover in this video is AC.L2-3.1.7, privileged functions.

Unsuccessful logon attempts

Video - 00:04:00

In this video we discuss practice AC.L2-3.1.8, unsuccessful logon attempts.

Privacy and security notices

Video - 00:05:00

You will spend your time in this video learning about AC.L2-3.1.9, which focuses on privacy and security notices.

Session lock

Video - 00:05:00

We will now cover AC.L2-3.1.10, which focuses on session lock.

Session termination

Video - 00:03:00

Session termination, AC.L2-3.1.11, is the focus of our discussion in this video.

Control remote access

Video - 00:03:00

Practice AC.L2-3.1.12 encompasses controlling remote access, which is discussed in this brief video.

Remote access confidentiality

Video - 00:06:00

Remote access confidentiality, which is practice AC.L2-3.1.13, is the topic of this video.

Remote access routing

Video - 00:01:00

In this video, we will discuss AC.L2-3.1.14, which covers remote access routing.

Privileged remote access

Video - 00:02:00

Our next level two practice is AC.L2-3.1.15, covering privileged remote access.

Wireless access authorization and protection

Video - 00:09:00

Wireless access authorization and wireless access protection, AC.L2-3.1.16 and AC.L2-3.1.17, are the topics of our conversation in this video.

Mobile device connection and encryption of CUI

Video - 00:11:00

In this video, we will discuss AC.L2-3.1.18 and AC.l2-3.1.19, which concern mobile device connection and encryption of CUI on mobile devices.

Portable storage use

Video - 00:04:00

We now turn our focus to AC.L2-3.1.21, which covers the use of portable storage.

Role-based risk awareness

Video - 00:05:00

In this section, we begin looking at the level 2 practices associated with awareness and training (AT), starting with AT.L2-3.2.1, role-based risk awareness.

Role-based training

Video - 00:10:00

We continue our look at the practices associate with awareness and training but shift our focus to AT.L2-3.2.2 – role-based training.

Insider threat awareness

Video - 00:02:00

Finishing out our discussions of the level two practices for awareness and training, we discuss AT.L2-3.2.3, insider threat awareness.

System auditing

Video - 00:07:00

With this video, we begin a discussion of audit and accountability (AU) level 2 practices with AU.L2-3.3.1, system auditing.

User accountability

Video - 00:05:00

An important part of audit and accountability practices include AU.L2-3.3.2, user accountability, which we cover in this video.

Event review

Video - 00:05:00

We now turn our focus to AU.L2-3.3.3, which documents the practice of event review.

Audit failure alerting

Video - 00:04:00

Practice AU.L2-3.3.4 is audit failure alerting, which we discuss in this video.

Audit correlation

Video - 00:05:00

Next up in our exploration of the audit and accountability practices is AU.L2-3.3.5, audit correlation.

Reduction and reporting

Video - 00:02:00

Reduction and reporting, AU.L2-3.3.6 of the audit and accountability practices, is covered in this video.

Authoritative time source

Video - 00:04:00

It is important to have and authoritative time source, which is practice AU.L2-3.3.7.

Audit protection and management

Video - 00:07:00

We end our discussion of the audit and accountability practices with discussion of two practices: AU.L2-3.3.8, audit protection, and AU.L2-3.3.9, audit management.

System baselining

Video - 00:07:00

We begin our discussion of configuration management level 2 practices with CM.L2-3.4.1 which focuses on system baselining.

Security configuration enforcement

Video - 00:04:00

The next configuration management practice is CM.L2-3.4.2, which is security configuration enforcement.

System change management

Video - 00:04:00

System change management, configuration management practice CM.L2-3.4.3, is the topic of this video.

Security impact analysis

Video - 00:06:00

We new cover CM.L2-3.4.4, the practice of security impact analysis.

Access restrictions for change

Video - 00:02:00

Next we dive into practice CM.L2-3.4.5, which is access restrictions for change.

Least functionality

Video - 00:02:00

In this video, we move on to practice CM.L2-3.4.6, least functionality.

Nonessential functionality

Video - 00:04:00

The next practice we will cover is CM.L2-3.4.7, nonessential functionality.

Application execution policy

Video - 00:09:00

Practice CM.L2-3.4.8, application execution policy, is the focus of discussion in this video.

User-installed software

Video - 00:01:00

Our discussion of configuration management level 2 practices finishes up with this video on CM.L2-3.4.9, user-installed software.

Identification and authentication intro

Video - 00:01:00

In this video introduction, we begin looking at the level 2 practices for identification and authorization.

Replay-resistant authentication

Video - 00:08:00

Identification and authentication practice IA.L2-3.5.4 is replay-resistant authentication, the focus of this video.

Identifier reuse

Video - 00:06:00

Now we move on to IA.L2-3.5.5, which covers identifier reuse.

Identifier handling

Video - 00:08:00

The identification and authentication practice of IA.L2-3.5.6 is identifier handling.

Password complexity

Video - 00:15:00

Password complexity is practice IA.L2-3.5.7 under the identification and authentication objectives.

Password reuse

Video - 00:01:00

In this video we tackle IA.L2-3.5.8, which focuses on password reuse.

Temporary passwords

Video - 00:02:00

We discuss temporary passwords, which is practice IA.L2-3.5.9.

Cryptographically-protected passwords

Video - 00:02:00

Cryptographically-protected passwords are the topic in this video on practice IA.L2-3.5.10.

Obscure feedback

Video - 00:03:00

We complete looking at the level 2 practices for identification and authorization with this video on IA.L2-3.5.11, which covers obscure feedback.

Incident handling

Video - 00:06:00

Now lets dive into the incident response level 2 practices with IR.L2-3.6.1, focusing on incident handling.

Incident reporting

Video - 00:11:00

Incident reporting, IR.L2-3.6.2, is the next practice include under the incident response level 2 practices.

Incident response testing

Video - 00:03:00

We wrap up the discussion of incident response level 2 practices with incident response testing, IR.L2-3.6.3.

Perform maintenance

Video - 00:05:00

Lets begin our discussion of level 2 practices for maintenance with MA.L2-3.7.1, perform maintenance.

System maintenance control

Video - 00:09:00

System maintenance control, MA.L2-3.7.2, is the second of the maintenance level 2 practices.

Equipment sanitization

Video - 00:07:00

Practice MA.L2-3.7.3, equipment sanitization, is covered in this video.

Media inspection

Video - 00:03:00

Another important pracice under maintenance is MA.L2-3.7.4, media inspection.

Nonlocal maintenance

Video - 00:06:00

In this video we discuss MA.L2-3.7.5, which deals with nonlocal maintenance.

Maintenance personnel

Video - 00:01:00

We wrap up our discussion of level 2 practices for maintenance with MA.L2-3.7.6, which details how to deal with maintenance personnel.

Media disposal

Video - 00:02:00

We cover one level 1 practice in the media protection objectives, which is MP.L1-3.8.1, media protection.

Media protection

Video - 00:04:00

Our discussion of the media protection level 2 practices begins with MP.L2-3.8.1, media protection.

Media access

Video - 00:02:00

In this video, we will discuss MP.L2-3.8.2, which focuses on media access.

Media markings

Video - 00:03:00

Media markings, practice MP.L2-3.8.4, are the topic of this video.

Media accountability

Video - 00:05:00

An important aspect of the media protection objective is practice MP.L2-3.8.5, media accountability.

Portable storage encryption

Video - 00:02:00

Portable storage encryption, which is MP.L2-3.8.6, is the subject of this lesson.

Removable media

Video - 00:05:00

In this video lesson, we will discuss MP.L2-3.8.7, which deals with removeable media.

Shared media

Video - 00:02:00

Our focus now shifts to MP.L2-3.8.8, which concerns shared media.

Protect backups

Video - 00:10:00

In our last lesson on media protection level 2 objectices, we discuss MP.L2-3.8.9, protect backups.

Screen individuals

Video - 00:07:00

There are only two practices under personnel security, and in this video we discuss the first, PS.L2-3.9.1, screen individuals.

Personnel actions

Video - 00:08:00

In our second, and last, lesson on personnel security objectives, we will discuss PS.L2-3.9.2, which addresses personnel actions.

Monitor facility

Video - 00:03:00

We now begin our discussion of the physical protection level 2 practices, beginning with PE.L2-3.10.2, monitor facility.

Alternative work sites

Video - 00:02:00

We end our discussion of the physical protection practices with PE.L2-3.10.6, which addresses alternative work sites.

Risk assessments

Video - 00:05:00

In this video, we start our focus on the level 2 practices for the risk assessment objectives with RA.L2-3.11.1, risk assessments.

Vulnerability scan

Video - 00:08:00

Continuing our focus on risk assessment level two practices, we now focus on RA.L2-3.11.2, vulnerability scans.

Vulnerabiiity remediation

Video - 00:04:00

Rounding out our discussions of the risk assessment level two practices, we discuss RA.L2-3.11.3, vulnerability remediation.

Security control assessment

Video - 00:07:00

This lesson begins our focus on the security assessment level two practices, starting with CA.L2-3.12.1, security control assessments.

Plan of action

Video - 00:07:00

One of the most important of the security assessment practices is to have a plan of action, the focus of CA.L2-3.12.2 and this video.

Security control monitoring

Video - 00:02:00

The security assessment practice we will address in this video is security control monitoring, CA.L2-3.12.3.

System security plan

Video - 00:09:00

We complete our look at the security assessment level two practices with CA.L2-3.12.4, which is to have a system security plan.

Security engineering

Video - 00:13:00

There are 16 system and communication protection level 2 practices, and, as we looked at SC.L2-3.13.1 in another video, we will look in this video at SC.L2-3.13.2, security engineering.

Role separation

Video - 00:08:00

Next on our list of system and communication protection level two practices is SC.L2-3.13.3, which addresses role separation.

Shared resource control

Video - 00:06:00

Shared resource control is the focus of our lesson in this video; it is system and communication protection practice SC.L2-3.13.4.

Network communication by exception

Video - 00:06:00

Now we will discuss system and communication protection practice SC.L2-3.13.6, which is network communication by exception.

Split tunneling

Video - 00:02:00

Moving on in our discussions of the system and communication protection practices, we will look at SC.L2-3.13.7, split tunneling.

Data in transit

Video - 00:07:00

The protection of data in transit is our focus in this lesson, which is system and communication protection level two practice SC.L2-3.13.8.

Connections termination

Video - 00:01:00

In this video, we focus on system and communication protection practice SC.L2-3.13.9, connections termination.

Key management

Video - 00:05:00

Continuing our look at system and communication protection practices, we will now discuss SC.L2-3.13.10, which pertains to key management.

CUI encryption

Video - 00:02:00

Next on our list of system and communication protection level 2 practices is SC.L2-3.13.11, which focuses on CUI encryption.

Collaborative device control

Video - 00:03:00

Collaborative device control is the focus of this lesson, which is system and communication protection level 2 practice SC.L2-3.13.12.

Mobile code

Video - 00:04:00

We now dive in to system and communication protection level 2 practice SC.L2-3.13.13, focusing on mobile code.

Voice over internet protocol

Video - 00:08:00

Voice over internet protocol (VOIP) is system and communication protection level 2 practice SC.L2-3.13.14, which we will tackle in this video.

Communications authenticity

Video - 00:02:00

In this video we address system and communication protection level 2 practice SC.L2-3.13.15, communications authenticity.

Data at rest

Video - 00:01:00

We complete our look at system and communication protection level 2 practices with SC.L2-3.13.16, focusing on data at rest.

Security alerts and advisories

Video - 00:06:00

Beginning our discussion of system and information integrity level 2, we look at practice SI.L2-3.14.3, security alerts and advisories.

Monitor communications for attacks

Video - 00:04:00

In this video we discuss SI.L2-3.14.6, which focuses on monitoring communications for attacks.

Identify unauthorized use

Video - 00:05:00

We wrap up our discussion of system and information integrity Level 2 practices with SI.L2-3.14.7, identifying unauthorized use.