Take a Quiz

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Domain: Access Control (AC)

Capability: C001 Establish system access requirements

Control: AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems.)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Capability: C002 Control internal system access

Control: AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Do you understand the specific access requirements for each job role?*

Yes

No

Are you using an Identity and Access Management System (IAM), like Active Directory, to manage user and system accounts?*

Yes

No

Do you limit user access to only the systems and information they need to complete their assigned work in each line of business application?*

Yes

No

Are you reviewing user access on a regular basis?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Capability: C004 Limit data access to authorized users and processes

Control: AC.1.003: Verify and control/limit connections to and use of external information systems.

Do you have an inventory of all the external systems that your company accesses?*

Yes

No

Have you documented the nature of the external connections (inbound, outbound, protocol, etc.?)*

Yes

No

Do you restrict access to your corporate network to only corporate owned devices?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: AC.1.004 Control information posted or processed on publicly accessible information systems.

Do you have a list of users that have access to publish information publicly on your company website, blog, or social media?*

Yes

No

Do you have a role in your company to review content for any Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) before it is published publicly?*

Yes

No

Do you have a process to review published content to determine if any FCI or CUI information was inadvertently published and remove the content?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Capability: C015 Grant access to authenticated entities

Control: IA.1.076: Identify information system users, processes acting on behalf of users or devices.

Do any of your users share a user ID and password?*

Yes

No

Are you able to track and log the user ID for all users and systems that access the company network and applications?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: IA.1.076: Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.

Do you require strong and complex passwords for all your systems and applications?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Domain: Media Protection (MP)

Capability: C024 Sanitize media
Control: MP.1.118: Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.

Does your company destroy or sanitize all “media” so that it can not be recovered? This includes a wide array of items that can store information, like hard drives, thumb drives, CDs, DVDs, tape backups, etc.*

Yes

No

Can you prove that you have destroyed or sanitized all “media,” including printed documents that contain FCI/CUI?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Domain: Physical Protection (PE)

Capability: C028 Limit physical accesssystem access

Control: PE.1.131: Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.

Do you maintain a list of personnel with authorized access, and do you issue authorization credentials?*

Yes

No

Do you designate areas in your building as “sensitive” and have you put physical security protections in place to limit physical access to the area to only authorized employees?*

Yes

No

Are output devices, like printers, placed in areas where their use does not expose data to unauthorized individuals?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: PE.1.132: Escort visitors and monitor visitor activity.

Are personnel required to accompany visitors to areas in a facility with physical access to organization systems?*

Yes

No

Do you designate areas in your building as “sensitive” and have you put physical security protections in place to limit physical access to the area to only authorized employees?*

Yes

No

Are output devices, like printers, placed in areas where their use does not expose data to unauthorized individuals?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: PE.1.133: Maintain audit logs of physical access.em access

Do you require all visitors to sign-in, either electronic or paper, and maintain these records for as long as required?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: PE.1.134: Control and manage physical access devices.

Do you maintain an inventory of all physical access devices, like keys, badges, and key cards? Is access to your physical access devices limited to only authorized individuals?*

Yes

No

Is access to your physical access devices limited to only authorized individuals?*

Yes

No

Do you manage your physical access\devices? For example, revoking key card access or changing locks as needed.*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Domain: Physical Protection (PE)

Capability: C039: Control communications at system boundaries

Control: SC.1.175: Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internaluthorized users are permitted to execute.

Does your company use firewalls at the external system boundaries to protect systems that handle regulated data?*

Yes

No

Does your company use internal firewalls, routers, or switches to segment your internal network?*

Yes

No

Do you monitor data flowing in and out of external and internal system boundaries?*

Yes

No

Does your company protect data flowing in and out of your external and internal systems by using encryption or tunneling traffic?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: SC.1.176: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Does your company have any publicly accessible systems (e.g., internet-facing web servers, VPN gateways, publicly accessible cloud services?)*

Yes

No

If so, are these publicly accessible systems physically or logically separated subnetworks (e.g., isolated subnetworks, or Demilitarized Zones DMZ?)*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Domain: System & Information Integrity (SI)

Capability: C040: Identify and manage information system flaws

Control: SI.1.210: Identify, report and correct information and information system flaws in a timely manner.

Does your company have a defined and documented timeframe which system flaws must be identified from vulnerability scans, configuration scans, or manual reviews?*

Yes

No

Can you prove that system flaws are identified in accordance with the specified timeframe?*

Yes

No

Does your company have a defined and documented timeframe which system flaws must be corrected?*

Yes

No

Can you prove that system flaws are corrected in accordance with the specified timeframe?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: SI.1.211: Provide protection from malicious code at appropriate locations within organizational information systems.

Are system components (e.g., workstations, servers, mobile devices) where malicious code protection must be provided identified and documented?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: SI.1.212: Update malicious code protection mechanisms when new releases are available.

Is there a defined frequency by which malicious code protection must be updated?*

Yes

No

Does your company actively monitor and update your malicious code protection?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Control: SI.1.213: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.

Does your company have a defined and documented frequency for malicious code scans?*

Yes

No

Does your company perform real-time malicious code scans on files from external sources as files are downloaded, opened, or executed?*

Yes

No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Get a copy of the full report to know what areas need strengthening.

First Name

Last name

Email

Please enter work email only (no Gmail, Yahoo, Etc.)

Phone Number

Submit your quote request

Please review all the information you previously typed in the past steps, and if all is okay, submit your message to receive a project quote in 24 - 48 hours.

CMMC Cybersecurity Quiz

Get a project quote

Domain: Access Control (AC)

Do you have a repeatable and auditable process to provision new employee user accounts?*

Do you have a repeatable and auditable process to provision new machine accounts on your network?*

Do you have a repeatable and auditable process to de-provision employee user accounts?*

Do you have a repeatable and auditable process to de-provision machine accounts on your network?*

Do you have a standard naming convention for new user accounts and machine accounts?*

Do you understand the specific access requirements for each job role?*

Are you using an Identity and Access Management System (IAM), like Active Directory, to manage user and system accounts?*

Do you limit user access to only the systems and information they need to complete their assigned work in each line of business application?*

Are you reviewing user access on a regular basis?*

Do you have an inventory of all the external systems that your company accesses?*

Have you documented the nature of the external connections (inbound, outbound, protocol, etc.?)*

Do you restrict access to your corporate network to only corporate owned devices?*

Do you have a list of users that have access to publish information publicly on your company website, blog, or social media?*

Do you have a role in your company to review content for any Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) before it is published publicly?*

Do you have a process to review published content to determine if any FCI or CUI information was inadvertently published and remove the content?*

Do any of your users share a user ID and password?*

Are you able to track and log the user ID for all users and systems that access the company network and applications?*

Do you require strong and complex passwords for all your systems and applications?*

Domain: Media Protection (MP)

Does your company destroy or sanitize all “media” so that it can not be recovered? This includes a wide array of items that can store information, like hard drives, thumb drives, CDs, DVDs, tape backups, etc.*

Can you prove that you have destroyed or sanitized all “media,” including printed documents that contain FCI/CUI?*

Domain: Physical Protection (PE)

Do you maintain a list of personnel with authorized access, and do you issue authorization credentials?*

Do you designate areas in your building as “sensitive” and have you put physical security protections in place to limit physical access to the area to only authorized employees?*

Are output devices, like printers, placed in areas where their use does not expose data to unauthorized individuals?*

Are personnel required to accompany visitors to areas in a facility with physical access to organization systems?*

Do you designate areas in your building as “sensitive” and have you put physical security protections in place to limit physical access to the area to only authorized employees?*

Are output devices, like printers, placed in areas where their use does not expose data to unauthorized individuals?*

Do you require all visitors to sign-in, either electronic or paper, and maintain these records for as long as required?*

Do you maintain an inventory of all physical access devices, like keys, badges, and key cards? Is access to your physical access devices limited to only authorized individuals?*

Is access to your physical access devices limited to only authorized individuals?*

Do you manage your physical access\devices? For example, revoking key card access or changing locks as needed.*

Domain: Physical Protection (PE)

Does your company use firewalls at the external system boundaries to protect systems that handle regulated data?*

Does your company use internal firewalls, routers, or switches to segment your internal network?*

Do you monitor data flowing in and out of external and internal system boundaries?*

Does your company protect data flowing in and out of your external and internal systems by using encryption or tunneling traffic?*

Does your company have any publicly accessible systems (e.g., internet-facing web servers, VPN gateways, publicly accessible cloud services?)*

If so, are these publicly accessible systems physically or logically separated subnetworks (e.g., isolated subnetworks, or Demilitarized Zones DMZ?)*

Domain: System & Information Integrity (SI)

Does your company have a defined and documented timeframe which system flaws must be identified from vulnerability scans, configuration scans, or manual reviews?*

Can you prove that system flaws are identified in accordance with the specified timeframe?*

Does your company have a defined and documented timeframe which system flaws must be corrected?*

Can you prove that system flaws are corrected in accordance with the specified timeframe?*

Are system components (e.g., workstations, servers, mobile devices) where malicious code protection must be provided identified and documented?*

Is there a defined frequency by which malicious code protection must be updated?*

Does your company actively monitor and update your malicious code protection?*

Does your company have a defined and documented frequency for malicious code scans?*

Does your company perform real-time malicious code scans on files from external sources as files are downloaded, opened, or executed?*

Get a copy of the full report to know what areas need strengthening.

Submit your quote request

Thank you! Your submission has been received!