Gone Phishing: Understanding Different Phishing Types and How to Protect Yourself
Phishing attacks have become an epidemic. Approximately 3.4 billion phishing emails are sent worldwide each day, making it the leading ...
Read More 
Networks
Applications
Infrastructure
Integrations
Portnox CLEAR
NIST CMMC Compliance Assessment
Below, find a detailed overview of how Portnox CLEAR cloud-delivered NAC-as-a-Service aligns with the current CMMC compliance standards across its three primary levels. To learn more about how Portnox's NAC solutions assist with compliance enforcement, click here.
Level 1
| CMMC Level | Domain | Control No. | Practice | Practice Description | Portnox Value |
|---|---|---|---|---|---|
| 1 | Physical Protection | 9 | PE.1.132 | Escort visitors and monitor visitor activity | N/A |
| 1 | System & Information Integrity | 17 | SI.1.213 | Perform periodic scans of the IS and real time scans of files from external sources as downloaded, opened or executed | N/A |
| 1 | System & Information Integrity | 16 | SI.1.212 | Update malware protection software when available | N/A |
| 1 | System & Information Integrity | 15 | SI.1.211 | Provide protection from malware where appropriate | Meets |
| 1 | System & Information Integrity | 14 | SI.1.210 | Identify, report, and correct IS flaws in a timely manner | Meets |
| 1 | System & Comm Protection | 13 | SC.1.176 | Implement subnetworks for public systems | Meets |
| 1 | System & Comm Protection | 12 | SC.1.175 | Monitor, control & protect information transmitted or received by IS at perimeter and key internal boundaries | Contributes |
| 1 | Physical Protection | 11 | PE.1.134 | Control and manage physical access devices | Meets |
| 1 | Physical Protection | 10 | PE.1.133 | Maintain audit logs of physical access | N/A |
| 1 | Access Control | 1 | AC.1.001 | Limit IS access to authorized users, processes, and devices | Meets |
| 1 | Physical Protection | 8 | PE.1.131 | Limit access to authorized individuals | N/A |
| 1 | Media Protection | 7 | MP.1.118 | Sanitize or destroy media containing Federal Contract (or PII or sensitive data) before dispoal | N/A |
| 1 | ID & Authenticate | 6 | IA.1.077 | Authenticate/verify the ID of those users/processes/devices before giving access | Meets |
| 1 | ID & Authenticate | 5 | IA.1.076 | Identify users, processes, and devices | Meets |
| 1 | Access Control | 4 | AC.1.004 | Control information posted or processed on public IS | N/A |
| 1 | Access Control | 3 | AC.1.003 | Verify & Control connections to and use of external IS | Contributes |
| 1 | Access Control | 2 | AC.1.002 | Limit IS access to types of transactions & functions that are required for authorized users | Meets |
Level 2
| CMMC Level | Domain | Control No. | Practice | Practice Description | Portnox Value |
|---|---|---|---|---|---|
| 2 | ID & Authenticate | 31 | IA.2.080 | Allow Temp PWD for login with immediate change to permanent password | N/A |
| 2 | Media Protection | 43 | IA.1.077 | Authenticate/verify the ID of those users/processes/devices before giving access | N/A |
| 2 | Incident Response | 42 | MA.2.114 | Supervise maintenance personnel who don't have authorization | N/A |
| 2 | Incident Response | 40 | MA.2.112 | Controls on maintenance | N/A |
| 2 | Incident Response | 39 | MA.2.111 | Maintenance on organizational systems | N/A |
| 2 | Incident Response | 38 | IR.2.097 | Root Cause Analysis on incidents | N/A |
| 2 | Incident Response | 36 | IR.2.094 | Analyze & Triage events for resolution & declaration | N/A |
| 2 | ID & Authenticate | 33 | IA.2.082 | Obscure Feedback of authentication information | N/A |
| 2 | ID & Authenticate | 32 | IA.2.081 | Store and transmit only encrypted passwords | N/A |
| 2 | Media Protection | 44 | MP.2.119 | Physically control and securely store media (digital or paper) containing CUI or other sensitive data | N/A |
| 2 | ID & Authenticate | 30 | IA.2.079 | Prohibit Password reuse for a specified number of generations | N/A |
| 2 | ID & Authenticate | 29 | IA.2.078 | Min password complexity and change of char | N/A |
| 2 | Configuration Management | 24 | CM.2.064 | Security Config Settings for IT products | N/A |
| 2 | Configuration Management | 22 | CM.2.062 | Principle of least functionality -config to only do what's needed | N/A |
| 2 | Awareness & Training | 20 | AT.2.057 | Train users in assigned IS related duties/responsibilities | N/A |
| 2 | Awareness & Training | 19 | AT.2.056 | Educate mgrs, admins, users of security risks and policies | N/A |
| 2 | Audit & Accountability | 18 | AU.2.044 | Review Audit Logs | N/A |
| 2 | Recovery | 55 | RE.2.138 | Protect confidentiality of backup CUI where stored | N/A |
| 2 | System & Information Integrity | 69 | SI.1.210 | Identify, report, and correct IS flaws in a timely manner | N/A |
| 2 | System & Information Integrity | 68 | SI.1.212 | Update malware protection software when available | N/A |
| 2 | System & Comm Protection | 65 | SC.2.179 | Encrypt management sessions to devices | N/A |
| 2 | System & Comm Protection | 64 | SC.2.178 | Prohibit remote activation of devices and notify of use | N/A |
| 2 | Security Assessment | 61 | CA.2.159 | Implement plans to correct deficiencies & vulnerabilities | N/A |
| 2 | Security Assessment | 60 | CA.2.158 | Periodically assess scurity controls | N/A |
| 2 | Security Assessment | 59 | CA.2.157 | Documentation of security plans | N/A |
| 2 | Risk Management | 57 | RM.2.142 | Vulnerability Scan | N/A |
| 2 | Audit & Accountability | 17 | AU.2.043 | Synchronize system clocks with authoritative source for time stamps | N/A |
| 2 | Recovery | 54 | RE.2.137 | Regularly perform and test backups | N/A |
| 2 | Physical Protection | 53 | PE.2.135 | Protect/Monitor Physical Facility | N/A |
| 2 | Physical Protection | 51 | PE1.133 | Maintain audit logs of physical access | N/A |
| 2 | Physical Protection | 50 | PE.1.132 | Escort visitors and monitor visitor activity | N/A |
| 2 | Physical Protection | 49 | MP.1.118 | Sanitize or destroy media containing Federal Contract (or PII or sensitive data) before dispoal | N/A |
| 2 | Personnel Security | 48 | PS.2.128 | Protect CUI/SD during terminations/transfers | N/A |
| 2 | Personnel Security | 47 | PS.2.127 | Screen personnel | N/A |
| 2 | System & Comm Protection | 63 | 0 | 0 | Meets |
| 2 | Audit & Accountability | 15 | AU.2.041 | Users must be uniquely identified and tracked for accountability | Meets |
| 2 | Access Control | 14 | AC.2.016 | Control Flow of CUI in accordance with approved auth. | Meets |
| 2 | Access Control | 13 | AC.2.015 | Remote Access only through managed access control points | Meets |
| 2 | Access Control | 12 | AC.2.013 | Monitor and control remote access sessions | Meets |
| 2 | Access Control | 11 | AC.2.011 | Authorized Wireless Access | Meets |
| 2 | Access Control | 10 | AC.2.010 | Inactivity Session Lockout | Meets |
| 2 | Access Control | 6 | AC.2.006 | Limit Use of portable storage devices on ext systems | Meets |
| 2 | Access Control | 5 | AC.2.005 | Privacy & Security notices consistent with applicable CUI Rules | Meets |
| 2 | Audit & Accountability | 16 | AU.2.042 | System Audit logs and records | Meets |
| 2 | System & Comm Protection | 62 | PE.1.134 | Control and manage physical access devices | Meets |
| 2 | Risk Management | 58 | RM.2.143 | Remediate vulnerabilites from scan and assessment | Meets |
| 2 | Risk Management | 56 | RM.2.141 | Periodic risk assessment around systems and handling of CUI/SD | Meets |
| 2 | Media Protection | 46 | MP.2.121 | Control use of removable media | Meets |
| 2 | Media Protection | 45 | MP.2.120 | Limit access to CUI/sensitive data on systems to authorized users | Meets |
| 2 | Incident Response | 41 | MA.2.113 | MFA for remote connections and terminate upon completion | Meets |
| 2 | Incident Response | 37 | IR.2.096 | Pre-defined esponses to declared incidetns | Meets |
| 2 | System & Information Integrity | 66 | SC.1.176 | Implement subnetworks for public systems | Meets |
| 2 | Access Control | 9 | AC.2.009 | Limit unsuccessful logon attempts | N/A |
| 2 | Access Control | 8 | AC.2.008 | Use non-priv accounts when doing non-priv functions | N/A |
| 2 | Access Control | 7 | AC.2.007 | Principle of Least Privilege | N/A |
| 2 | System & Information Integrity | 71 | SI.2.216 | Monitor systems and traffic to detect attack patterns | Contributes |
| 2 | System & Information Integrity | 70 | SI.2.214 | Monitor security alerts and take action | Contributes |
| 2 | Configuration Management | 21 | CM.2.061 | Baseline configs and inventory | Contributes |
| 2 | System & Information Integrity | 72 | SI.2.217 | Identify Unauthorized use of organizational systems | Meets |
| 2 | System & Information Integrity | 67 | SI.1.211 | Provide protection from malware where appropriate | Meets |
| 2 | Incident Response | 35 | IR.2.093 | Detect and report events | Meets |
| 2 | Physical Protection | 52 | PE.1.131 | Limit access to authorized individuals | Meets |
| 2 | Incident Response | 34 | IR.2.092 | Operational Incident Handling capability | Meets |
| 2 | ID & Authenticate | 28 | IA.1.077 | Authenticate/verify the IS of those users/processes/devices before giving access | Meets |
| 2 | ID & Authenticate | 27 | AC.1.004 | Control information posted or processed on public IS | Meets |
| 2 | Configuration Management | 26 | CM.2.066 | Analyze security impact of changes prior to implementation | Meets |
| 2 | Configuration Management | 25 | CM.2.065 | Track, review, approve/disapprove, and log changes to systems | Meets |
| 2 | Configuration Management | 23 | CM.2.063 | Control and Monitor User Installed Software | Meets |
Level 3
| CMMC Level | Domain | Control No. | Practice | Practice Description | Portnox Value |
|---|---|---|---|---|---|
| 3 | Access Control | 1 | AC.1.001 | Limit IS access to authorized users, processes, and devices | Meets |
| 3 | Access Control | 2 | AC.1.002 | Limit IS access to types of transactions & functions that are required for authorized users | Meets |
| 3 | Access Control | 5 | AC.2.005 | Privacy & Security notices consistent with applicable CUI Rules | Meets |
| 3 | Access Control | 6 | AC.2.006 | Limit Use of portable storage devices on ext systems | Meets |
| 3 | Access Control | 10 | AC.2.010 | Inactivity Session Lockout | Meets |
| 3 | Access Control | 11 | AC.2.011 | Authorized Wireless Access | Meets |
| 3 | Access Control | 12 | AC.3.012 | Protect Wireless with Authentication & Encryption | Meets |
| 3 | Access Control | 13 | AC.2.013 | Monitor and control remote access sessions | Meets |
| 3 | Access Control | 15 | AC.2.015 | Remote Access only through managed access control points | Meets |
| 3 | Access Control | 18 | AC.3.018 | Prevent admin functions from normal users, log admin activity | Meets |
| 3 | Access Control | 20 | AC.3.020 | Control Connection of mobile devices | Meets |
| 3 | Access Control | 22 | AC.3.022 | Encrypt CUI/SD on mobile devices & laptops | Meets |
| 3 | Audit & Accountability | 24 | AU.2.041 | Users must be uniquely identified and tracked for accountability | Meets |
| 3 | Audit & Accountability | 25 | AU.2.042 | System Audit logs and records | Meets |
| 3 | Configuration Management | 44 | CM.3.068 | Restrict/disable/prevent use of nonessential functions | Meets |
| 3 | Configuration Management | 45 | CM.3.069 | Blacklist policy to prevent unauthorized software, or whitelist approved software | Meets |
| 3 | Incident Response | 57 | IR.2.092 | Operational Incident Handling capability | Meets |
| 3 | Incident Response | 58 | IR.2.093 | Detect and report events | Meets |
| 3 | Incident Response | 60 | IR.2.096 | Pre-defined esponses to declared incidetns | Meets |
| 3 | Risk Management | 89 | RM.2.141 | Periodic risk assessment around systems and handling of CUI/SD | Meets |
| 3 | Risk Management | 91 | RM.2.143 | Remediate vulnerabilites from scan and assessment | Meets |
| 3 | Risk Management | 92 | RM.3.144 | Periodic risk assessments overall risk | Meets |
| 3 | Risk Management | 93 | RM.3.146 | Risk Mitigation Plans | Meets |
| 3 | Configuration Management | 39 | CM.2.063 | Control and Monitor User Installed Software | Meets |
| 3 | Configuration Management | 41 | CM.2.065 | Track, review, approve/disapprove, and log changes to systems | Meets |
| 3 | ID & Authenticate | 46 | IA.1.076 | Identify users, processes, and devices | Meets |
| 3 | ID & Authenticate | 47 | IA.1.077 | Authenticate/verify the ID of those users/processes/devices before giving access | Meets |
| 3 | ID & Authenticate | 53 | IA.3.083 | MFA for local and nw access for admins and for nw access for users | Meets |
| 3 | ID & Authenticate | 54 | IA.3.084 | Replay resistant authentication for network access | Meets |
| 3 | ID & Authenticate | 55 | IA.3.085 | Prevent reuse of identifiers for a defined period | Meets |
| 3 | ID & Authenticate | 56 | IA.3.086 | Disable identifiers after a defined period of inactivity | Meets |
| 3 | Maintenance | 66 | MA.2.113 | MFA for remote connections and terminate upon completion | Meets |
| 3 | Media Protection | 72 | MP.2.120 | Limit access to CUI/sensitive data on systems to authorized users | Meets |
| 3 | Media Protection | 73 | MP.2.121 | Control use of removable media | Meets |
| 3 | Media Protection | 75 | MP.3.123 | Prohibit use of non approved/identified portable storage | Meets |
| 3 | Media Protection | 77 | MP.3.125 | Encrypt portable media during transport | Meets |
| 3 | Physical Protection | 83 | PE.1.134 | Control and manage physical access devices | Meets |
| 3 | System & Comm Protection | 101 | SC.1.175 | Monitor, control & protect information transmitted or received by IS at perimeter and key internal boundaries | Meets |
| 3 | System & Comm Protection | 102 | SC.1.176 | Implement subnetworks for public systems | Meets |
| 3 | System & Comm Protection | 108 | SC.3.183 | Network traffic - deny all, permit by exception | Meets |
| 3 | System & Information Integrity | 119 | SI.1.210 | Identify, report, and correct IS flaws in a timely manner | Meets |
| 3 | System & Information Integrity | 120 | SI.1.211 | Provide protection from malware where appropriate | Meets |
| 3 | System & Information Integrity | 125 | SI.2.217 | Identify Unauthorized use of organizational systems | Meets |
| 3 | Audit & Accountability | 29 | AU.3.048 | Collect audit logs into central repository | Contributes |
| 3 | Configuration Management | 37 | CM.2.061 | Baseline configs and inventory | Contributes |
| 3 | Recovery | 88 | RE.3.139 | Complete backups | Contributes |
| 3 | System & Comm Protection | 106 | SC.3.181 | Separate user functionality from admin functionality | Contributes |
| 3 | System & Comm Protection | 107 | SC.3.182 | Prevent unauthorized/unintended information transfer via shared system resources | Contributes |
| 3 | System & Information Integrity | 123 | SI.2.214 | Monitor security alerts and take action | Contributes |
| 3 | System & Information Integrity | 124 | SI.2.216 | Monitor systems and traffic to detect attack patterns | Contributes |
| 3 | Access Control | 3 | AC.1.003 | Verify & Control connections to and use of external IS | Contributes |
| 3 | Access Control | 4 | AC.1.004 | Control information posted or processed on public IS | N/A |
| 3 | Access Control | 7 | AC.2.007 | Principle of Least Privilege | N/A |
| 3 | Access Control | 8 | AC.2.008 | Use non-priv accounts when doing non-priv functions | N/A |
| 3 | Access Control | 9 | AC.2.009 | Limit unsuccessful logon attempts | N/A |
| 3 | Access Control | 14 | AC.3.014 | Encrypt Remote Access Sessions | N/A |
| 3 | Access Control | 16 | AC.2.016 | Control Flow of CUI in accordance with approved auth. | N/A |
| 3 | Access Control | 17 | AC.3.017 | Separate duties to reduce malevolent activity w/o collusion | N/A |
| 3 | Access Control | 19 | AC.3.019 | Terminate user sessions after defined conditon | N/A |
| 3 | Access Control | 21 | AC.3.021 | Authorize remote exec of admin cmds and remote access to security relevant information | N/A |
| 3 | Asset Management | 23 | AM.3.036 | Define procs for handling CUI data | N/A |
| 3 | Audit & Accountability | 26 | AU.2.043 | Synchronize system clocks with authoritative source for time stamps | N/A |
| 3 | Audit & Accountability | 27 | AU.2.044 | Review Audit Logs | N/A |
| 3 | Audit & Accountability | 28 | AU.3.045 | Review & update logged events | N/A |
| 3 | Audit & Accountability | 30 | AU.3.049 | Protect audit data from unauthorized access/mod/delete | N/A |
| 3 | Audit & Accountability | 31 | AU.3.050 | Limit mgmt of audit logging to limited privileged users | N/A |
| 3 | Audit & Accountability | 32 | AU.3.051 | Correlate data for investigation if indications of unauthorized activity | N/A |
| 3 | Audit & Accountability | 33 | AU.3.052 | Audit record reduction & report generation | N/A |
| 3 | Awareness & Training | 34 | AT.2.056 | Educate mgrs, admins, users of security risks and policies | N/A |
| 3 | Awareness & Training | 35 | AT.2.057 | Train users in assigned IS related duties/responsibilities | N/A |
| 3 | Awareness & Training | 36 | AT.3.058 | Security Awareness Training | N/A |
| 3 | Configuration Management | 38 | CM.2.062 | Principle of least functionality -config to only do what's needed | N/A |
| 3 | Configuration Management | 40 | CM.2.064 | Security Config Settings for IT products | N/A |
| 3 | Configuration Management | 42 | CM.2.066 | Analyze security impact of changes prior to implementation | N/A |
| 3 | Configuration Management | 43 | CM.3.067 | Define, doc, app, enf access restrictions based on system changes | N/A |
| 3 | ID & Authenticate | 48 | IA.2.078 | Min password complexity and change of char | N/A |
| 3 | ID & Authenticate | 49 | IA.2.079 | Prohibit Password reuse for a specified number of generations | N/A |
| 3 | ID & Authenticate | 50 | IA.2.080 | Allow Temp PWD for login with immediate change to permanent password | N/A |
| 3 | ID & Authenticate | 51 | IA.2.081 | Store and transmit only encrypted passwords | N/A |
| 3 | ID & Authenticate | 52 | IA.2.082 | Obscure Feedback of authentication information | N/A |
| 3 | Incident Response | 59 | IR.2.094 | Analyze & Triage events for resolution & declaration | N/A |
| 3 | Incident Response | 61 | IR.2.097 | Root Cause Analysis on incidents | N/A |
| 3 | Incident Response | 62 | IR.3.098 | Track, doc, report incidents internally and externally | N/A |
| 3 | Incident Response | 63 | IR.3.099 | Test operational incident response | N/A |
| 3 | Maintenance | 64 | MA.2.111 | Maintenance on organizational systems | N/A |
| 3 | Maintenance | 65 | MA.2.112 | Controls on maintenance | N/A |
| 3 | Maintenance | 67 | MA.2.114 | Supervise maintenance personnel who don't have authorization | N/A |
| 3 | Maintenance | 68 | MA.3.115 | Ensure equipment removed is wiped | N/A |
| 3 | Maintenance | 69 | MA.3.116 | Check diagnostic media for malicious code before use | N/A |
| 3 | Media Protection | 70 | MP.1.118 | Sanitize or destroy media containing Federal Contract (or PII or sensitive data) before dispoal | N/A |
| 3 | Media Protection | 71 | MP.2.119 | Physically control and securely store media (digital or paper) containing CUI or other sensitive data | N/A |
| 3 | Media Protection | 74 | MP.3.122 | Mark media including paper with CUI info | N/A |
| 3 | Media Protection | 76 | MP.3.124 | Control access to media and maintain accountability during transport outside of controlled area | N/A |
| 3 | Personnel Security | 78 | PS.2.127 | Screen personnel | N/A |
| 3 | Personnel Security | 79 | PS.2.128 | Protect CUI/SD during terminations/transfers | N/A |
| 3 | Physical Protection | 80 | PE.1.131 | Limit access to authorized individuals | N/A |
| 3 | Physical Protection | 81 | PE.1.132 | Escort visitors and monitor visitor activity | N/A |
| 3 | Physical Protection | 82 | PE.1.133 | Maintain audit logs of physical access | N/A |
| 3 | Physical Protection | 84 | PE.2.135 | Protect/Monitor Physical Facility | N/A |
| 3 | Physical Protection | 85 | PE.3.136 | Enforce CUI safeguards at alternate work sites | N/A |
| 3 | Recovery | 86 | RE.2.137 | Regularly perform and test backups | N/A |
| 3 | Recovery | 87 | RE.2.138 | Protect confidentiality of backup CUI where stored | N/A |
| 3 | Risk Management | 90 | RM.2.142 | Vulnerability Scan | N/A |
| 3 | Risk Management | 94 | RM.3.147 | Manage EOL products and restrict to reduce risk | N/A |
| 3 | Security Assessment | 95 | CA.2.157 | Documentation of security plans | N/A |
| 3 | Security Assessment | 96 | CA.2.158 | Periodically assess scurity controls | N/A |
| 3 | Security Assessment | 97 | CA.2.159 | Implement plans to correct deficiencies & vulnerabilities | N/A |
| 3 | Security Assessment | 98 | CA.3.161 | Monitor security controls | N/A |
| 3 | Security Assessment | 99 | CA.3.162 | If you have custom software, do a security assessment of it | N/A |
| 3 | Situational Awareness | 100 | SA.3.169 | Get cyber threat intelligence from sharing sites and forums and communicate to stakeholders | N/A |
| 3 | System & Comm Protection | 103 | SC.2.178 | Prohibit remote activation of devices and notify of use | N/A |
| 3 | System & Comm Protection | 104 | SC.2.179 | Encrypt management sessions to devices | N/A |
| 3 | System & Comm Protection | 105 | SC.3.180 | Arch Designs, Soft Dev & Sys Eng techniques that promote effective info security | N/A |
| 3 | System & Comm Protection | 109 | SC.3.184 | No split tunneling on remote connection | N/A |
| 3 | System & Comm Protection | 110 | SC.3.185 | Encrypt transmission of CUI/SD | N/A |
| 3 | System & Comm Protection | 111 | SC.3.186 | Terminate sessions after end or defined period of inactivity | N/A |
| 3 | System & Comm Protection | 112 | SC.3.187 | Manage Encryption Keys | N/A |
| 3 | System & Comm Protection | 113 | SC.3.188 | Control/monitor mobile code such as Java/ActiveX/etc | N/A |
| 3 | System & Comm Protection | 114 | SC.3.189 | Control/monitor VoIP | N/A |
| 3 | System & Comm Protection | 115 | SC.3.190 | Protect authenticity of comm sessions | N/A |
| 3 | System & Comm Protection | 116 | SC.3.191 | Encrypt CUI/SD where stored | N/A |
| 3 | System & Comm Protection | 117 | SC.3.192 | DNS filtering services | N/A |
| 3 | System & Comm Protection | 118 | SC.3.193 | Policy restricting CUI/SC on public sites (social media) | N/A |
| 3 | System & Information Integrity | 121 | SI.1.212 | Update malware protection software when available | N/A |
| 3 | System & Information Integrity | 122 | SI.1.213 | Perform periodic scans of the IS and real time scans of files from external sources as downloaded, opened or executed | N/A |
| 3 | System & Information Integrity | 126 | SI.3.218 | Spam protection | N/A |
| 3 | System & Information Integrity | 127 | SI.3.219 | Email forgery protections | N/A |
| 3 | System & Information Integrity | 128 | SI.3.220 | Sandbox to detect or block malicious email | N/A |