icdev 1.0.0__py3-none-any.whl

icdev/data/context/compliance/nist_800_171_controls.json

@@ -0,0 +1,1552 @@
+{
+  "metadata": {
+    "title": "NIST SP 800-171 Rev 2 — CUI Protection Requirements",
+    "source": "NIST Special Publication 800-171 Revision 2",
+    "classification": "CUI // SP-CTI",
+    "version": "1.0",
+    "last_updated": "2026-02-15",
+    "description": "110 security requirements in 14 families for protecting CUI in nonfederal systems"
+  },
+  "requirements": [
+    {
+      "id": "171-3.1.1",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 1,
+      "title": "Limit system access to authorized users, processes acting on behalf of authorized users, and devices",
+      "description": "Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).",
+      "discussion": "Access control policies control access between active entities or subjects and passive entities or objects in systems. Organizations manage system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. Restricting access helps protect the confidentiality of CUI.",
+      "nist_800_53_controls": ["AC-2", "AC-3", "AC-17"],
+      "cmmc_practice_id": "AC.L2-3.1.1",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Access control policy, user access lists, system access logs"
+    },
+    {
+      "id": "171-3.1.2",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 2,
+      "title": "Limit system access to the types of transactions and functions that authorized users are permitted to execute",
+      "description": "Limit information system access to the types of transactions and functions that authorized users are permitted to execute.",
+      "discussion": "Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes include restrictions on time-of-day, day-of-week, and point-of-origin.",
+      "nist_800_53_controls": ["AC-3", "AC-6"],
+      "cmmc_practice_id": "AC.L2-3.1.2",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Role-based access control matrix, transaction authorization policy, function permission mappings"
+    },
+    {
+      "id": "171-3.1.3",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 3,
+      "title": "Control the flow of CUI in accordance with approved authorizations",
+      "description": "Control the flow of CUI in accordance with approved authorizations.",
+      "discussion": "Information flow control regulates where CUI can travel within a system and between systems. Flow control restrictions include keeping CUI from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting requests to the Internet that are not from the internal web proxy server, and limiting information transferred between organizations based on data structures and content.",
+      "nist_800_53_controls": ["AC-4"],
+      "cmmc_practice_id": "AC.L2-3.1.3",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Information flow control policy, data flow diagrams, boundary protection configurations, filtering rules"
+    },
+    {
+      "id": "171-3.1.4",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 4,
+      "title": "Separate the duties of individuals to reduce the risk of malevolent activity without collusion",
+      "description": "Separate the duties of individuals to reduce the risk of malevolent activity without collusion.",
+      "discussion": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Types of separation of duties include dividing mission functions and system support functions among different individuals and roles, conducting system support functions with different individuals, and ensuring that security personnel administering access control functions do not also administer audit functions.",
+      "nist_800_53_controls": ["AC-5"],
+      "cmmc_practice_id": "AC.L2-3.1.4",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Separation of duties policy, role definitions, access control matrix showing role separation"
+    },
+    {
+      "id": "171-3.1.5",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 5,
+      "title": "Employ the principle of least privilege, including for specific security functions and privileged accounts",
+      "description": "Employ the principle of least privilege, including for specific security functions and privileged accounts.",
+      "discussion": "Organizations employ least privilege for specific duties and systems. The principle of least privilege is applied to system processes, ensuring that processes operate at privilege levels no higher than necessary. Security functions include establishing system accounts, configuring access authorizations, configuring settings for events to be audited, and setting intrusion detection parameters.",
+      "nist_800_53_controls": ["AC-6", "AC-6(1)", "AC-6(5)"],
+      "cmmc_practice_id": "AC.L2-3.1.5",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Least privilege policy, privileged account inventory, access authorization records"
+    },
+    {
+      "id": "171-3.1.6",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 6,
+      "title": "Use non-privileged accounts or roles when accessing nonsecurity functions",
+      "description": "Use non-privileged accounts or roles when accessing nonsecurity functions.",
+      "discussion": "This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.",
+      "nist_800_53_controls": ["AC-6(2)"],
+      "cmmc_practice_id": "AC.L2-3.1.6",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Account usage policy, evidence of separate accounts for privileged and non-privileged activities"
+    },
+    {
+      "id": "171-3.1.7",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 7,
+      "title": "Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs",
+      "description": "Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.",
+      "discussion": "Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.",
+      "nist_800_53_controls": ["AC-6(9)", "AC-6(10)"],
+      "cmmc_practice_id": "AC.L2-3.1.7",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Privilege escalation controls, audit logs of privileged function execution, access control enforcement records"
+    },
+    {
+      "id": "171-3.1.8",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 8,
+      "title": "Limit unsuccessful logon attempts",
+      "description": "Limit unsuccessful logon attempts.",
+      "discussion": "Organizations may define the maximum number of consecutive invalid logon attempts by a user during a specified time period. The organization may choose to automatically lock the account or node for a specified time period, lock the account or node until released by an administrator, delay the next logon prompt, or take other appropriate action.",
+      "nist_800_53_controls": ["AC-7"],
+      "cmmc_practice_id": "AC.L2-3.1.8",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Account lockout policy configuration, logon attempt logs, lockout threshold settings"
+    },
+    {
+      "id": "171-3.1.9",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 9,
+      "title": "Provide privacy and security notices consistent with applicable CUI rules",
+      "description": "Provide privacy and security notices consistent with applicable CUI rules.",
+      "discussion": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users and are not required when human interfaces do not exist. Organizations consider system use notification messages and banners in light of applicable federal laws, directives, policies, regulations, standards, and guidance.",
+      "nist_800_53_controls": ["AC-8"],
+      "cmmc_practice_id": "AC.L2-3.1.9",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "System use notification banners, privacy notice content, banner configuration screenshots"
+    },
+    {
+      "id": "171-3.1.10",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 10,
+      "title": "Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity",
+      "description": "Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.",
+      "discussion": "Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level. Pattern-hiding displays include screen savers, blank screens, and clock displays.",
+      "nist_800_53_controls": ["AC-11", "AC-11(1)"],
+      "cmmc_practice_id": "AC.L2-3.1.10",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Session lock policy, inactivity timeout configuration, screen saver settings documentation"
+    },
+    {
+      "id": "171-3.1.11",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 11,
+      "title": "Terminate (automatically) a user session after a defined condition",
+      "description": "Terminate (automatically) a user session after a defined condition.",
+      "discussion": "This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections associated with communications sessions. Conditions or trigger events requiring automatic session termination can include organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on system use.",
+      "nist_800_53_controls": ["AC-12"],
+      "cmmc_practice_id": "AC.L2-3.1.11",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Session termination policy, timeout configuration, session management logs"
+    },
+    {
+      "id": "171-3.1.12",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 12,
+      "title": "Monitor and control remote access sessions",
+      "description": "Monitor and control remote access sessions.",
+      "discussion": "Remote access is access to organizational systems by users communicating through external networks. Remote access methods include dial-up, broadband, and wireless. Monitoring and controlling remote access sessions allows organizations to detect cyber attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components.",
+      "nist_800_53_controls": ["AC-17(1)"],
+      "cmmc_practice_id": "AC.L2-3.1.12",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Remote access monitoring logs, VPN session records, remote access policy enforcement documentation"
+    },
+    {
+      "id": "171-3.1.13",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 13,
+      "title": "Employ cryptographic mechanisms to protect the confidentiality of remote access sessions",
+      "description": "Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.",
+      "discussion": "Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. Encryption is used to protect the confidentiality of remote access sessions. The strength of the encryption is commensurate with the classification or sensitivity of the information.",
+      "nist_800_53_controls": ["AC-17(2)"],
+      "cmmc_practice_id": "AC.L2-3.1.13",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "VPN configuration with encryption settings, FIPS-validated cryptography documentation, TLS/SSL configuration"
+    },
+    {
+      "id": "171-3.1.14",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 14,
+      "title": "Route remote access via managed access control points",
+      "description": "Route remote access via managed access control points.",
+      "discussion": "Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.",
+      "nist_800_53_controls": ["AC-17(3)"],
+      "cmmc_practice_id": "AC.L2-3.1.14",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Network architecture diagrams showing access control points, VPN gateway configurations, remote access routing policy"
+    },
+    {
+      "id": "171-3.1.15",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 15,
+      "title": "Authorize remote execution of privileged commands and remote access to security-relevant information",
+      "description": "Authorize remote execution of privileged commands and remote access to security-relevant information.",
+      "discussion": "A privileged command is a human-initiated command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Security-relevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.",
+      "nist_800_53_controls": ["AC-17(4)"],
+      "cmmc_practice_id": "AC.L2-3.1.15",
+      "priority": "high",
+      "automation_level": "manual",
+      "evidence_required": "Remote privileged command authorization policy, remote access authorization records, audit logs of remote privileged actions"
+    },
+    {
+      "id": "171-3.1.16",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 16,
+      "title": "Authorize wireless access prior to allowing such connections",
+      "description": "Authorize wireless access prior to allowing such connections.",
+      "discussion": "Establishing usage restrictions and configuration and connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies.",
+      "nist_800_53_controls": ["AC-18"],
+      "cmmc_practice_id": "AC.L2-3.1.16",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Wireless access policy, authorized wireless device inventory, wireless access point configuration"
+    },
+    {
+      "id": "171-3.1.17",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 17,
+      "title": "Protect wireless access using authentication and encryption",
+      "description": "Protect wireless access using authentication and encryption.",
+      "discussion": "Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the variety of devices that are part of the Internet of Things with potential wireless access to organizational systems. Use of open or unencrypted wireless connections can expose CUI to interception.",
+      "nist_800_53_controls": ["AC-18(1)"],
+      "cmmc_practice_id": "AC.L2-3.1.17",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Wireless encryption configuration (WPA2/WPA3), wireless authentication mechanism documentation, wireless security policy"
+    },
+    {
+      "id": "171-3.1.18",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 18,
+      "title": "Control connection of mobile devices",
+      "description": "Control connection of mobile devices.",
+      "discussion": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device policies and procedures include the types of mobile devices that can access organizational systems, how they are to be configured, and use restrictions.",
+      "nist_800_53_controls": ["AC-19"],
+      "cmmc_practice_id": "AC.L2-3.1.18",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Mobile device policy, MDM configuration, approved mobile device inventory, connection control rules"
+    },
+    {
+      "id": "171-3.1.19",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 19,
+      "title": "Encrypt CUI on mobile devices and mobile computing platforms",
+      "description": "Encrypt CUI on mobile devices and mobile computing platforms.",
+      "discussion": "Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields.",
+      "nist_800_53_controls": ["AC-19(5)"],
+      "cmmc_practice_id": "AC.L2-3.1.19",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Mobile device encryption policy, encryption configuration evidence, MDM enforcement records"
+    },
+    {
+      "id": "171-3.1.20",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 20,
+      "title": "Verify and control/limit connections to and use of external systems",
+      "description": "Verify and control/limit connections to and use of external information systems.",
+      "discussion": "External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls. External systems include personally owned systems, components, or devices and privately owned computing and communications devices resident in commercial or public facilities.",
+      "nist_800_53_controls": ["AC-20", "AC-20(1)"],
+      "cmmc_practice_id": "AC.L2-3.1.20",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "External system connection policy, authorized external system inventory, interconnection security agreements"
+    },
+    {
+      "id": "171-3.1.21",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 21,
+      "title": "Limit use of portable storage devices on external systems",
+      "description": "Limit use of organizational portable storage devices on external information systems.",
+      "discussion": "Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Organizations may prohibit the use of portable storage devices on external systems due to the potential risk of information exposure to unauthorized users.",
+      "nist_800_53_controls": ["AC-20(2)"],
+      "cmmc_practice_id": "AC.L2-3.1.21",
+      "priority": "medium",
+      "automation_level": "manual",
+      "evidence_required": "Portable storage device policy, device usage restrictions documentation, DLP configuration"
+    },
+    {
+      "id": "171-3.1.22",
+      "family": "Access Control",
+      "family_code": "3.1",
+      "requirement_number": 22,
+      "title": "Control CUI posted or processed on publicly accessible systems",
+      "description": "Control information posted or processed on publicly accessible information systems.",
+      "discussion": "In accordance with applicable laws, directives, policies, regulations, standards, and guidance, the public is not authorized access to nonpublic information including CUI. This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI on publicly accessible systems are designated, and content is reviewed prior to posting to ensure that nonpublic information is not included.",
+      "nist_800_53_controls": ["AC-22"],
+      "cmmc_practice_id": "AC.L2-3.1.22",
+      "priority": "high",
+      "automation_level": "manual",
+      "evidence_required": "Public information posting policy, content review procedures, designated posting authority records"
+    },
+    {
+      "id": "171-3.2.1",
+      "family": "Awareness and Training",
+      "family_code": "3.2",
+      "requirement_number": 1,
+      "title": "Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems",
+      "description": "Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.",
+      "discussion": "Organizations determine the content and frequency of security awareness training based on the specific organizational requirements. Awareness techniques include displaying posters, offering supplies inscribed with security reminders, generating email advisories and notices from organizational officials, displaying logon screen messages, and conducting information security awareness events.",
+      "nist_800_53_controls": ["AT-2"],
+      "cmmc_practice_id": "AT.L2-3.2.1",
+      "priority": "medium",
+      "automation_level": "manual",
+      "evidence_required": "Security awareness training materials, training completion records, training schedule"
+    },
+    {
+      "id": "171-3.2.2",
+      "family": "Awareness and Training",
+      "family_code": "3.2",
+      "requirement_number": 2,
+      "title": "Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities",
+      "description": "Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.",
+      "discussion": "Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide security awareness training to personnel regarding the need to protect CUI and the duty to report CUI spillage incidents.",
+      "nist_800_53_controls": ["AT-3"],
+      "cmmc_practice_id": "AT.L2-3.2.2",
+      "priority": "medium",
+      "automation_level": "manual",
+      "evidence_required": "Role-based training plans, training completion certificates, training effectiveness assessments"
+    },
+    {
+      "id": "171-3.2.3",
+      "family": "Awareness and Training",
+      "family_code": "3.2",
+      "requirement_number": 3,
+      "title": "Provide security awareness training on recognizing and reporting potential indicators of insider threat",
+      "description": "Provide security awareness training on recognizing and reporting potential indicators of insider threat.",
+      "discussion": "Insider threats are security threats from within the organization. Organizations provide training to all users to recognize indicators of potential insider threats and report them to proper authorities. Potential indicators and possible precursors to insider threats include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, and unexplained access to financial resources.",
+      "nist_800_53_controls": ["AT-2(2)"],
+      "cmmc_practice_id": "AT.L2-3.2.3",
+      "priority": "medium",
+      "automation_level": "manual",
+      "evidence_required": "Insider threat awareness training materials, training completion records, reporting procedures documentation"
+    },
+    {
+      "id": "171-3.3.1",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 1,
+      "title": "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity",
+      "description": "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.",
+      "discussion": "An event is any observable occurrence in a system including unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate. Audit records can be generated at various levels of abstraction.",
+      "nist_800_53_controls": ["AU-2", "AU-3", "AU-3(1)", "AU-6"],
+      "cmmc_practice_id": "AU.L2-3.3.1",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Audit policy, audit log configuration, log retention settings, sample audit records"
+    },
+    {
+      "id": "171-3.3.2",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 2,
+      "title": "Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions",
+      "description": "Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.",
+      "discussion": "This requirement ensures that the contents of the audit record include the information needed to, when possible, link audit events to individual users. Organizations consider event types for which audit logs are necessary for individual accountability including events such as successful and unsuccessful logon attempts, privileged activities or other security-relevant events, and accessing CUI.",
+      "nist_800_53_controls": ["AU-2", "AU-3", "AU-6"],
+      "cmmc_practice_id": "AU.L2-3.3.2",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Audit record content configuration showing user attribution, unique user identification in logs"
+    },
+    {
+      "id": "171-3.3.3",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 3,
+      "title": "Review and update logged events",
+      "description": "Review and update logged events.",
+      "discussion": "The intent of this requirement is that the organization periodically reviews the types of events that are logged. This review can be accomplished with a mixture of manual and automated techniques. The types of events that are currently logged may be insufficient. The review of logged events helps inform decisions on which events require logging. The organization also considers the impact of changes in systems on the events that are logged.",
+      "nist_800_53_controls": ["AU-2(3)"],
+      "cmmc_practice_id": "AU.L2-3.3.3",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Logged event review records, event type update documentation, review schedule"
+    },
+    {
+      "id": "171-3.3.4",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 4,
+      "title": "Alert in the event of an audit logging process failure",
+      "description": "Alert in the event of an audit logging process failure.",
+      "discussion": "Audit logging process failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit logging failures (e.g., by type, by location, by severity, or a combination of such factors).",
+      "nist_800_53_controls": ["AU-5"],
+      "cmmc_practice_id": "AU.L2-3.3.4",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Audit failure alerting configuration, alert notification procedures, monitoring system configuration"
+    },
+    {
+      "id": "171-3.3.5",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 5,
+      "title": "Correlate audit record review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities",
+      "description": "Correlate audit record review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.",
+      "discussion": "Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is met when the information to be correlated is communicated directly to a SIEM or similar audit processing tool.",
+      "nist_800_53_controls": ["AU-6(3)"],
+      "cmmc_practice_id": "AU.L2-3.3.5",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "SIEM configuration, log correlation rules, incident response integration documentation"
+    },
+    {
+      "id": "171-3.3.6",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 6,
+      "title": "Provide audit record reduction and report generation to support on-demand analysis and reporting",
+      "description": "Provide audit record reduction and report generation to support on-demand analysis and reporting.",
+      "discussion": "Audit record reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting auditing activities.",
+      "nist_800_53_controls": ["AU-7"],
+      "cmmc_practice_id": "AU.L2-3.3.6",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Audit analysis tools configuration, report generation capability documentation, sample audit reports"
+    },
+    {
+      "id": "171-3.3.7",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 7,
+      "title": "Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records",
+      "description": "Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.",
+      "discussion": "Internal system clocks are used to generate time stamps, which include date and time. Time is expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Time stamps generated by the system include both date and time and are used in audit records.",
+      "nist_800_53_controls": ["AU-8"],
+      "cmmc_practice_id": "AU.L2-3.3.7",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "NTP configuration, time synchronization source documentation, time stamp format in audit records"
+    },
+    {
+      "id": "171-3.3.8",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 8,
+      "title": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion",
+      "description": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.",
+      "discussion": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit settings, and audit reports. Audit logging tools are those programs and devices used to conduct audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by the media protection requirements and physical and environmental protection requirements.",
+      "nist_800_53_controls": ["AU-9"],
+      "cmmc_practice_id": "AU.L2-3.3.8",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Audit log access controls, log integrity protection mechanisms, audit tool access restrictions"
+    },
+    {
+      "id": "171-3.3.9",
+      "family": "Audit and Accountability",
+      "family_code": "3.3",
+      "requirement_number": 9,
+      "title": "Limit management of audit logging functionality to a subset of privileged users",
+      "description": "Limit management of audit logging functionality to a subset of privileged users.",
+      "discussion": "Individuals with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This requirement specifies that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.",
+      "nist_800_53_controls": ["AU-9(4)"],
+      "cmmc_practice_id": "AU.L2-3.3.9",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Audit management role assignments, privileged user list with audit responsibilities, access control documentation for audit functions"
+    },
+    {
+      "id": "171-3.4.1",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 1,
+      "title": "Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles",
+      "description": "Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.",
+      "discussion": "Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Maintaining baselines requires creating new baselines as systems change over time.",
+      "nist_800_53_controls": ["CM-2", "CM-6", "CM-8", "CM-8(1)"],
+      "cmmc_practice_id": "CM.L2-3.4.1",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Baseline configuration documents, hardware/software inventory, configuration management plan"
+    },
+    {
+      "id": "171-3.4.2",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 2,
+      "title": "Establish and enforce security configuration settings for information technology products employed in organizational systems",
+      "description": "Establish and enforce security configuration settings for information technology products employed in organizational information systems.",
+      "discussion": "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. IT products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices, network components, operating systems, middleware, and applications.",
+      "nist_800_53_controls": ["CM-6"],
+      "cmmc_practice_id": "CM.L2-3.4.2",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Security configuration standards (STIGs, CIS benchmarks), configuration compliance scan results, deviation documentation"
+    },
+    {
+      "id": "171-3.4.3",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 3,
+      "title": "Track, review, approve or disapprove, and log changes to organizational systems",
+      "description": "Track, review, approve or disapprove, and log changes to organizational systems.",
+      "discussion": "Tracking, reviewing, approving or disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications.",
+      "nist_800_53_controls": ["CM-3"],
+      "cmmc_practice_id": "CM.L2-3.4.3",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Change management process documentation, change request records, change approval logs, change implementation records"
+    },
+    {
+      "id": "171-3.4.4",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 4,
+      "title": "Analyze the security impact of changes prior to implementation",
+      "description": "Analyze the security impact of changes prior to implementation.",
+      "discussion": "Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications.",
+      "nist_800_53_controls": ["CM-4"],
+      "cmmc_practice_id": "CM.L2-3.4.4",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Security impact analysis reports, change request security review documentation"
+    },
+    {
+      "id": "171-3.4.5",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 5,
+      "title": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems",
+      "description": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational information systems.",
+      "discussion": "Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes.",
+      "nist_800_53_controls": ["CM-5"],
+      "cmmc_practice_id": "CM.L2-3.4.5",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Access restriction policy for change management, authorized change personnel list, change access control records"
+    },
+    {
+      "id": "171-3.4.6",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 6,
+      "title": "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities",
+      "description": "Employ the principle of least functionality by configuring organizational information systems to provide only essential capabilities.",
+      "discussion": "Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component.",
+      "nist_800_53_controls": ["CM-7"],
+      "cmmc_practice_id": "CM.L2-3.4.6",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Least functionality configuration, disabled services list, port/protocol/service restrictions"
+    },
+    {
+      "id": "171-3.4.7",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 7,
+      "title": "Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services",
+      "description": "Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.",
+      "discussion": "Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the use of specific programs to specific times of the day, or to specific user accounts.",
+      "nist_800_53_controls": ["CM-7(1)", "CM-7(2)"],
+      "cmmc_practice_id": "CM.L2-3.4.7",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Application whitelisting/blacklisting policy, disabled ports/protocols/services list, firewall rules"
+    },
+    {
+      "id": "171-3.4.8",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 8,
+      "title": "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software",
+      "description": "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.",
+      "discussion": "The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software execution.",
+      "nist_800_53_controls": ["CM-7(4)", "CM-7(5)"],
+      "cmmc_practice_id": "CM.L2-3.4.8",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Software restriction policy, application control tool configuration, authorized/unauthorized software lists"
+    },
+    {
+      "id": "171-3.4.9",
+      "family": "Configuration Management",
+      "family_code": "3.4",
+      "requirement_number": 9,
+      "title": "Control and monitor user-installed software",
+      "description": "Control and monitor user-installed software.",
+      "discussion": "Users can install software in organizational systems if provided the necessary privileges. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved application stores.",
+      "nist_800_53_controls": ["CM-11"],
+      "cmmc_practice_id": "CM.L2-3.4.9",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "User software installation policy, software installation monitoring logs, approved software catalog"
+    },
+    {
+      "id": "171-3.5.1",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 1,
+      "title": "Identify system users, processes acting on behalf of users, and devices",
+      "description": "Identify information system users, processes acting on behalf of users, or devices.",
+      "discussion": "Common device identifiers include media access control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. Organizations may supplement device identification with additional security attributes, such as certifications and credentials. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames associated with the system accounts assigned to those individuals.",
+      "nist_800_53_controls": ["IA-2", "IA-5"],
+      "cmmc_practice_id": "IA.L2-3.5.1",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "User identification policy, user account inventory, device identification mechanism documentation"
+    },
+    {
+      "id": "171-3.5.2",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 2,
+      "title": "Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems",
+      "description": "Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.",
+      "discussion": "Individual authenticators include passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk.",
+      "nist_800_53_controls": ["IA-2", "IA-5"],
+      "cmmc_practice_id": "IA.L2-3.5.2",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Authentication mechanism documentation, password policy configuration, MFA implementation evidence"
+    },
+    {
+      "id": "171-3.5.3",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 3,
+      "title": "Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts",
+      "description": "Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.",
+      "discussion": "Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as something you know (e.g., password), something you have (e.g., smart card or token), or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response one-time passwords and smart cards.",
+      "nist_800_53_controls": ["IA-2(1)", "IA-2(2)", "IA-2(3)"],
+      "cmmc_practice_id": "IA.L2-3.5.3",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "MFA configuration for privileged and non-privileged accounts, MFA solution documentation, access method inventory"
+    },
+    {
+      "id": "171-3.5.4",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 4,
+      "title": "Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts",
+      "description": "Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.",
+      "discussion": "Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.",
+      "nist_800_53_controls": ["IA-2(8)"],
+      "cmmc_practice_id": "IA.L2-3.5.4",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Replay-resistant authentication protocol documentation, TLS configuration, one-time password mechanism evidence"
+    },
+    {
+      "id": "171-3.5.5",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 5,
+      "title": "Prevent reuse of identifiers for a defined period",
+      "description": "Prevent reuse of identifiers for a defined period.",
+      "discussion": "Identifiers are provided for users, processes acting on behalf of users, or devices. Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.",
+      "nist_800_53_controls": ["IA-4"],
+      "cmmc_practice_id": "IA.L2-3.5.5",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Identifier reuse prevention policy, identifier management configuration, account lifecycle documentation"
+    },
+    {
+      "id": "171-3.5.6",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 6,
+      "title": "Disable identifiers after a defined period of inactivity",
+      "description": "Disable identifiers after a defined period of inactivity.",
+      "discussion": "Inactive identifiers pose a risk to organizational systems and applications. Attackers may exploit an inactive identifier to gain access, potentially without detection. Owners of inactive accounts may not notice if unauthorized access is taking place.",
+      "nist_800_53_controls": ["IA-4(e)"],
+      "cmmc_practice_id": "IA.L2-3.5.6",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Account inactivity policy, inactive account disable configuration, account review logs"
+    },
+    {
+      "id": "171-3.5.7",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 7,
+      "title": "Enforce a minimum password complexity and change of characters when new passwords are created",
+      "description": "Enforce a minimum password complexity and change of characters when new passwords are created.",
+      "discussion": "This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password complexity includes composition rules (e.g., uppercase, lowercase, numbers, special characters).",
+      "nist_800_53_controls": ["IA-5(1)"],
+      "cmmc_practice_id": "IA.L2-3.5.7",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Password policy configuration, complexity requirements documentation, password change settings"
+    },
+    {
+      "id": "171-3.5.8",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 8,
+      "title": "Prohibit password reuse for a specified number of generations",
+      "description": "Prohibit password reuse for a specified number of generations.",
+      "discussion": "Password lifetime restrictions do not apply to temporary passwords. Users reusing old passwords may enable adversaries to gain access to organizational systems. The number of passwords that must be created before a previous password can be reused is typically set at a minimum of 24 passwords.",
+      "nist_800_53_controls": ["IA-5(1)"],
+      "cmmc_practice_id": "IA.L2-3.5.8",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Password history configuration, password reuse prevention settings"
+    },
+    {
+      "id": "171-3.5.9",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 9,
+      "title": "Allow temporary password use for system logons with an immediate change to a permanent password",
+      "description": "Allow temporary password use for system logons with an immediate change to a permanent password.",
+      "discussion": "Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.",
+      "nist_800_53_controls": ["IA-5(1)"],
+      "cmmc_practice_id": "IA.L2-3.5.9",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Temporary password policy, force-change-on-first-login configuration"
+    },
+    {
+      "id": "171-3.5.10",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 10,
+      "title": "Store and transmit only cryptographically-protected passwords",
+      "description": "Store and transmit only cryptographically-protected passwords.",
+      "discussion": "Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. Unencrypted or plaintext passwords are not stored or transmitted. Organizations also determine the minimum strength of cryptographic mechanisms used to protect passwords.",
+      "nist_800_53_controls": ["IA-5(1)"],
+      "cmmc_practice_id": "IA.L2-3.5.10",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Password storage mechanism documentation (hashing algorithms), TLS configuration for password transmission"
+    },
+    {
+      "id": "171-3.5.11",
+      "family": "Identification and Authentication",
+      "family_code": "3.5",
+      "requirement_number": 11,
+      "title": "Obscure feedback of authentication information",
+      "description": "Obscure feedback of authentication information.",
+      "discussion": "The feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example desktops or notebooks with relatively large monitors, the threat may be mitigated by the ability of the user to physically protect their authentication information. Obscuring feedback of authentication information includes displaying asterisks when a password is entered.",
+      "nist_800_53_controls": ["IA-6"],
+      "cmmc_practice_id": "IA.L2-3.5.11",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Authentication feedback masking configuration, UI/login screen screenshots showing obscured input"
+    },
+    {
+      "id": "171-3.6.1",
+      "family": "Incident Response",
+      "family_code": "3.6",
+      "requirement_number": 1,
+      "title": "Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities",
+      "description": "Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.",
+      "discussion": "Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as it relates to the confidentiality of CUI. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events.",
+      "nist_800_53_controls": ["IR-2", "IR-4", "IR-5", "IR-6", "IR-7"],
+      "cmmc_practice_id": "IR.L2-3.6.1",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Incident response plan, incident handling procedures, incident response team roster, communication plan"
+    },
+    {
+      "id": "171-3.6.2",
+      "family": "Incident Response",
+      "family_code": "3.6",
+      "requirement_number": 2,
+      "title": "Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization",
+      "description": "Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.",
+      "discussion": "Tracking and documenting system security incidents on an ongoing basis is a critical component of a well-defined incident response capability. Organizations should ensure that both types of incidents (those handled internally and those handled externally) are properly tracked and documented. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization.",
+      "nist_800_53_controls": ["IR-5", "IR-6"],
+      "cmmc_practice_id": "IR.L2-3.6.2",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Incident tracking system, incident report templates, reporting authority contact list, sample incident reports"
+    },
+    {
+      "id": "171-3.6.3",
+      "family": "Incident Response",
+      "family_code": "3.6",
+      "requirement_number": 3,
+      "title": "Test the organizational incident response capability",
+      "description": "Test the organizational incident response capability.",
+      "discussion": "Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations and assets and individuals due to incident response.",
+      "nist_800_53_controls": ["IR-3", "IR-3(2)"],
+      "cmmc_practice_id": "IR.L2-3.6.3",
+      "priority": "medium",
+      "automation_level": "manual",
+      "evidence_required": "Incident response test plans, test results, after-action reports, lessons learned documentation"
+    },
+    {
+      "id": "171-3.7.1",
+      "family": "Maintenance",
+      "family_code": "3.7",
+      "requirement_number": 1,
+      "title": "Perform maintenance on organizational systems",
+      "description": "Perform maintenance on organizational information systems.",
+      "discussion": "This requirement addresses controlled maintenance of organizational systems and applies to all types of maintenance whether performed by local or nonlocal entities (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing or data or information retention such as scanners, copiers, and printers.",
+      "nist_800_53_controls": ["MA-2"],
+      "cmmc_practice_id": "MA.L2-3.7.1",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Maintenance policy, maintenance schedule, maintenance records, maintenance personnel authorization"
+    },
+    {
+      "id": "171-3.7.2",
+      "family": "Maintenance",
+      "family_code": "3.7",
+      "requirement_number": 2,
+      "title": "Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance",
+      "description": "Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.",
+      "discussion": "This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries but are used specifically for diagnostic and repair actions on those systems. Maintenance tools can include hardware, software, and firmware items. The tools need not necessarily be dedicated to the organization and may be provided by third parties.",
+      "nist_800_53_controls": ["MA-3", "MA-3(1)", "MA-3(2)"],
+      "cmmc_practice_id": "MA.L2-3.7.2",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Maintenance tools inventory, tool inspection records, maintenance personnel clearance verification"
+    },
+    {
+      "id": "171-3.7.3",
+      "family": "Maintenance",
+      "family_code": "3.7",
+      "requirement_number": 3,
+      "title": "Ensure equipment removed for off-site maintenance is sanitized of any CUI",
+      "description": "Ensure equipment removed for off-site maintenance is sanitized of any CUI.",
+      "discussion": "This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all equipment requiring maintenance whether performed by local or nonlocal entities. Equipment that stores, carries, or handles CUI must be sanitized before releasing it for off-site maintenance.",
+      "nist_800_53_controls": ["MA-3(3)"],
+      "cmmc_practice_id": "MA.L2-3.7.3",
+      "priority": "high",
+      "automation_level": "manual",
+      "evidence_required": "Media sanitization procedures for off-site maintenance, sanitization verification records"
+    },
+    {
+      "id": "171-3.7.4",
+      "family": "Maintenance",
+      "family_code": "3.7",
+      "requirement_number": 4,
+      "title": "Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems",
+      "description": "Check media containing diagnostic and test programs for malicious code before the media are used in organizational information systems.",
+      "discussion": "If, upon inspection of maintenance media, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.",
+      "nist_800_53_controls": ["MA-3(2)"],
+      "cmmc_practice_id": "MA.L2-3.7.4",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Media inspection procedures, malware scan logs for maintenance media, media inspection records"
+    },
+    {
+      "id": "171-3.7.5",
+      "family": "Maintenance",
+      "family_code": "3.7",
+      "requirement_number": 5,
+      "title": "Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete",
+      "description": "Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.",
+      "discussion": "Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements.",
+      "nist_800_53_controls": ["MA-4"],
+      "cmmc_practice_id": "MA.L2-3.7.5",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Remote maintenance MFA configuration, session termination procedures, remote maintenance access logs"
+    },
+    {
+      "id": "171-3.7.6",
+      "family": "Maintenance",
+      "family_code": "3.7",
+      "requirement_number": 6,
+      "title": "Supervise the maintenance activities of maintenance personnel without required access authorization",
+      "description": "Supervise the maintenance activities of maintenance personnel without required access authorization.",
+      "discussion": "This requirement applies to individuals performing hardware or software maintenance on organizational systems, while lacking required access authorization. Maintenance personnel are escorted and supervised during the performance of maintenance to detect unauthorized, unintended, or inappropriate system modifications.",
+      "nist_800_53_controls": ["MA-5"],
+      "cmmc_practice_id": "MA.L2-3.7.6",
+      "priority": "medium",
+      "automation_level": "manual",
+      "evidence_required": "Escort and supervision procedures, maintenance supervision logs, maintenance personnel authorization records"
+    },
+    {
+      "id": "171-3.8.1",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 1,
+      "title": "Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital",
+      "description": "Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.",
+      "discussion": "System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and members of the hardware development team. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media.",
+      "nist_800_53_controls": ["MP-2", "MP-4"],
+      "cmmc_practice_id": "MP.L2-3.8.1",
+      "priority": "high",
+      "automation_level": "manual",
+      "evidence_required": "Media protection policy, media inventory, secure storage locations, media handling procedures"
+    },
+    {
+      "id": "171-3.8.2",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 2,
+      "title": "Limit access to CUI on system media to authorized users",
+      "description": "Limit access to CUI on information system media to authorized users.",
+      "discussion": "Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media.",
+      "nist_800_53_controls": ["MP-2"],
+      "cmmc_practice_id": "MP.L2-3.8.2",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Media access control list, authorized user roster for media access, media checkout/return logs"
+    },
+    {
+      "id": "171-3.8.3",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 3,
+      "title": "Sanitize or destroy system media containing CUI before disposal or release for reuse",
+      "description": "Sanitize or destroy information system media containing CUI before disposal or release for reuse.",
+      "discussion": "This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques including clearing, purging, cryptographic erase, and destruction prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal.",
+      "nist_800_53_controls": ["MP-6"],
+      "cmmc_practice_id": "MP.L2-3.8.3",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Media sanitization policy, sanitization records, certificate of destruction, sanitization tool documentation"
+    },
+    {
+      "id": "171-3.8.4",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 4,
+      "title": "Mark media with necessary CUI markings and distribution limitations",
+      "description": "Mark media with necessary CUI markings and distribution limitations.",
+      "discussion": "The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable laws, directives, policies, regulations, standards, and guidance. CUI markings follow CUI Registry guidance.",
+      "nist_800_53_controls": ["MP-3"],
+      "cmmc_practice_id": "MP.L2-3.8.4",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "CUI marking policy, media marking examples, CUI Registry compliance documentation"
+    },
+    {
+      "id": "171-3.8.5",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 5,
+      "title": "Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas",
+      "description": "Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.",
+      "discussion": "Controlled areas are areas or spaces for which organizations provide sufficient physical or procedural controls to meet the requirements established for protecting CUI. Controls to maintain accountability for media during transport include locked containers and cryptography.",
+      "nist_800_53_controls": ["MP-5", "MP-5(4)"],
+      "cmmc_practice_id": "MP.L2-3.8.5",
+      "priority": "high",
+      "automation_level": "manual",
+      "evidence_required": "Media transport policy, media transport logs, custody chain documentation, transport container specifications"
+    },
+    {
+      "id": "171-3.8.6",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 6,
+      "title": "Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards",
+      "description": "Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.",
+      "discussion": "This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives). Cryptographic mechanisms applied to protect the confidentiality of CUI on digital media during transport include FIPS-validated encryption standards.",
+      "nist_800_53_controls": ["MP-5(4)"],
+      "cmmc_practice_id": "MP.L2-3.8.6",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Media encryption policy, encryption configuration for portable storage, FIPS-validated encryption documentation"
+    },
+    {
+      "id": "171-3.8.7",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 7,
+      "title": "Control the use of removable media on system components",
+      "description": "Control the use of removable media on information system components.",
+      "discussion": "In contrast to requirement 3.8.1 which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls to control the use of system media.",
+      "nist_800_53_controls": ["MP-7"],
+      "cmmc_practice_id": "MP.L2-3.8.7",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Removable media usage policy, USB device control configuration, media restriction group policy settings"
+    },
+    {
+      "id": "171-3.8.8",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 8,
+      "title": "Prohibit the use of portable storage devices when such devices have no identifiable owner",
+      "description": "Prohibit the use of portable storage devices when such devices have no identifiable owner.",
+      "discussion": "Requiring identifiable owners for portable storage devices reduces the risk of using such technology by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices.",
+      "nist_800_53_controls": ["MP-7(1)"],
+      "cmmc_practice_id": "MP.L2-3.8.8",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Portable storage device ownership policy, device registration records, authorized device inventory"
+    },
+    {
+      "id": "171-3.8.9",
+      "family": "Media Protection",
+      "family_code": "3.8",
+      "requirement_number": 9,
+      "title": "Protect the confidentiality of backup CUI at storage locations",
+      "description": "Protect the confidentiality of backup CUI at storage locations.",
+      "discussion": "Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backup information containing CUI may include system-level information and user-level information.",
+      "nist_800_53_controls": ["CP-9"],
+      "cmmc_practice_id": "MP.L2-3.8.9",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Backup encryption configuration, backup storage security documentation, backup access control lists"
+    },
+    {
+      "id": "171-3.9.1",
+      "family": "Personnel Security",
+      "family_code": "3.9",
+      "requirement_number": 1,
+      "title": "Screen individuals prior to authorizing access to organizational systems containing CUI",
+      "description": "Screen individuals prior to authorizing access to organizational information systems containing CUI.",
+      "discussion": "Personnel security screening activities reflect applicable laws, directives, policies, regulations, standards, guidance, and specific criteria established for the risk designations of assigned positions. Screening activities may include background checks, credit checks, and verification of education, employment, and references.",
+      "nist_800_53_controls": ["PS-3"],
+      "cmmc_practice_id": "PS.L2-3.9.1",
+      "priority": "high",
+      "automation_level": "manual",
+      "evidence_required": "Personnel screening policy, background check records, screening completion verification"
+    },
+    {
+      "id": "171-3.9.2",
+      "family": "Personnel Security",
+      "family_code": "3.9",
+      "requirement_number": 2,
+      "title": "Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers",
+      "description": "Ensure that organizational information systems containing CUI are protected during and after personnel actions such as terminations and transfers.",
+      "discussion": "Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Termination of an employee should also include disabling all system access.",
+      "nist_800_53_controls": ["PS-4", "PS-5"],
+      "cmmc_practice_id": "PS.L2-3.9.2",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Personnel action procedures, account termination/transfer records, exit interview documentation, property return records"
+    },
+    {
+      "id": "171-3.10.1",
+      "family": "Physical Protection",
+      "family_code": "3.10",
+      "requirement_number": 1,
+      "title": "Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals",
+      "description": "Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.",
+      "discussion": "This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals include organizational personnel, visitors, or other individuals with some form of identification that allows them to be authenticated. Organizations identify those individuals with needed and authorized access to organizational systems.",
+      "nist_800_53_controls": ["PE-2", "PE-3"],
+      "cmmc_practice_id": "PE.L2-3.10.1",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Physical access control policy, authorized personnel list, physical access logs, badge/key inventory"
+    },
+    {
+      "id": "171-3.10.2",
+      "family": "Physical Protection",
+      "family_code": "3.10",
+      "requirement_number": 2,
+      "title": "Protect and monitor the physical facility and support infrastructure for organizational systems",
+      "description": "Protect and monitor the physical facility and support infrastructure for organizational information systems.",
+      "discussion": "Monitoring of the physical facility and support infrastructure includes the use of physical intrusion detection devices, security cameras, and security guards. Organizations should also address the environmental hazards to the facility and the systems therein such as flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation.",
+      "nist_800_53_controls": ["PE-3", "PE-6"],
+      "cmmc_practice_id": "PE.L2-3.10.2",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Physical security monitoring plan, security camera placement, intrusion detection system documentation, environmental controls"
+    },
+    {
+      "id": "171-3.10.3",
+      "family": "Physical Protection",
+      "family_code": "3.10",
+      "requirement_number": 3,
+      "title": "Escort visitors and monitor visitor activity",
+      "description": "Escort visitors and monitor visitor activity.",
+      "discussion": "Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity. Visitor escort and monitoring are in addition to the physical access controls specified in requirement 3.10.1.",
+      "nist_800_53_controls": ["PE-3"],
+      "cmmc_practice_id": "PE.L2-3.10.3",
+      "priority": "medium",
+      "automation_level": "manual",
+      "evidence_required": "Visitor escort policy, visitor logs, visitor badge procedures, visitor monitoring records"
+    },
+    {
+      "id": "171-3.10.4",
+      "family": "Physical Protection",
+      "family_code": "3.10",
+      "requirement_number": 4,
+      "title": "Maintain audit logs of physical access",
+      "description": "Maintain audit logs of physical access.",
+      "discussion": "Organizations have flexibility in the types of audit logs maintained. Audit logs of physical access can include access to facilities, controlled areas within facilities, and specific physical entry points. Organizations may determine that it is not necessary to audit physical access at all physical entry points (e.g., based on the security categorization of the system).",
+      "nist_800_53_controls": ["PE-3"],
+      "cmmc_practice_id": "PE.L2-3.10.4",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Physical access audit logs, badge reader logs, access log retention documentation"
+    },
+    {
+      "id": "171-3.10.5",
+      "family": "Physical Protection",
+      "family_code": "3.10",
+      "requirement_number": 5,
+      "title": "Control and manage physical access devices",
+      "description": "Control and manage physical access devices.",
+      "discussion": "Physical access devices include keys, locks, combinations, and card readers. Safeguards for controlling physical access devices commensurate with the level of protection needed for the systems they protect include changing combinations and keys when they are compromised, lost, or individuals are transferred or terminated.",
+      "nist_800_53_controls": ["PE-3"],
+      "cmmc_practice_id": "PE.L2-3.10.5",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Physical access device inventory, key/badge management procedures, device issuance/return records"
+    },
+    {
+      "id": "171-3.10.6",
+      "family": "Physical Protection",
+      "family_code": "3.10",
+      "requirement_number": 6,
+      "title": "Enforce safeguarding measures for CUI at alternate work sites",
+      "description": "Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).",
+      "discussion": "Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security measures for specific alternate work sites or types of sites. Safeguarding CUI at alternate work sites includes the protection of CUI through both physical and technical means.",
+      "nist_800_53_controls": ["PE-17"],
+      "cmmc_practice_id": "PE.L2-3.10.6",
+      "priority": "medium",
+      "automation_level": "manual",
+      "evidence_required": "Telework security policy, alternate work site security assessment, remote work security agreement"
+    },
+    {
+      "id": "171-3.11.1",
+      "family": "Risk Assessment",
+      "family_code": "3.11",
+      "requirement_number": 1,
+      "title": "Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI",
+      "description": "Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.",
+      "discussion": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, and other organizations. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, groups, and organizations).",
+      "nist_800_53_controls": ["RA-3"],
+      "cmmc_practice_id": "RA.L2-3.11.1",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Risk assessment report, risk assessment methodology, threat and vulnerability inventory, risk register"
+    },
+    {
+      "id": "171-3.11.2",
+      "family": "Risk Assessment",
+      "family_code": "3.11",
+      "requirement_number": 2,
+      "title": "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified",
+      "description": "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.",
+      "discussion": "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches.",
+      "nist_800_53_controls": ["RA-5", "RA-5(5)"],
+      "cmmc_practice_id": "RA.L2-3.11.2",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Vulnerability scan reports, scanning schedule, scan tool configuration, vulnerability remediation tracking"
+    },
+    {
+      "id": "171-3.11.3",
+      "family": "Risk Assessment",
+      "family_code": "3.11",
+      "requirement_number": 3,
+      "title": "Remediate vulnerabilities in accordance with risk assessments",
+      "description": "Remediate vulnerabilities in accordance with assessments of risk.",
+      "discussion": "Vulnerabilities discovered through vulnerability scans need to be remediated. The organization uses the results of risk assessments to prioritize the remediation of known vulnerabilities. The remediation priority is commensurate with the risk.",
+      "nist_800_53_controls": ["RA-5"],
+      "cmmc_practice_id": "RA.L2-3.11.3",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Vulnerability remediation plan, remediation tracking records, risk-based prioritization documentation"
+    },
+    {
+      "id": "171-3.12.1",
+      "family": "Security Assessment",
+      "family_code": "3.12",
+      "requirement_number": 1,
+      "title": "Periodically assess the security controls in organizational systems to determine if the controls are effective in their application",
+      "description": "Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.",
+      "discussion": "Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the initial and ongoing authorization of systems. Security assessments determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.",
+      "nist_800_53_controls": ["CA-2"],
+      "cmmc_practice_id": "CA.L2-3.12.1",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Security assessment plan, security assessment report, control effectiveness ratings"
+    },
+    {
+      "id": "171-3.12.2",
+      "family": "Security Assessment",
+      "family_code": "3.12",
+      "requirement_number": 2,
+      "title": "Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems",
+      "description": "Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.",
+      "discussion": "Plans of action are key documents in security authorization packages. Organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document plans of action in a Plan of Action and Milestones (POA&M) document.",
+      "nist_800_53_controls": ["CA-5"],
+      "cmmc_practice_id": "CA.L2-3.12.2",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Plan of Action and Milestones (POA&M), remediation timelines, milestone tracking"
+    },
+    {
+      "id": "171-3.12.3",
+      "family": "Security Assessment",
+      "family_code": "3.12",
+      "requirement_number": 3,
+      "title": "Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls",
+      "description": "Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.",
+      "discussion": "Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions.",
+      "nist_800_53_controls": ["CA-7"],
+      "cmmc_practice_id": "CA.L2-3.12.3",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Continuous monitoring plan, automated monitoring tool configuration, monitoring reports, control status dashboard"
+    },
+    {
+      "id": "171-3.12.4",
+      "family": "Security Assessment",
+      "family_code": "3.12",
+      "requirement_number": 4,
+      "title": "Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems",
+      "description": "Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.",
+      "discussion": "System security plans relate security requirements to a set of security controls. System security plans also describe how the security controls meet the security requirements, the rationale for any tailoring decisions, and supplementary information needed to describe the implementation and operation of the controls. System security plans should be reviewed and updated periodically.",
+      "nist_800_53_controls": ["PL-2"],
+      "cmmc_practice_id": "CA.L2-3.12.4",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "System Security Plan (SSP), boundary diagrams, system interconnection documentation, SSP review records"
+    },
+    {
+      "id": "171-3.13.1",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 1,
+      "title": "Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems",
+      "description": "Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the organizational information systems.",
+      "discussion": "Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and extrusion detection systems, virtual private network (VPN) gateways, and encrypted tunnels implemented within a system security architecture.",
+      "nist_800_53_controls": ["SC-7", "SA-8"],
+      "cmmc_practice_id": "SC.L2-3.13.1",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Boundary protection configuration, firewall rules, network architecture diagrams, IDS/IPS configuration"
+    },
+    {
+      "id": "171-3.13.2",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 2,
+      "title": "Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems",
+      "description": "Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.",
+      "discussion": "Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.",
+      "nist_800_53_controls": ["SA-8"],
+      "cmmc_practice_id": "SC.L2-3.13.2",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Security architecture documentation, secure development lifecycle documentation, systems engineering plan"
+    },
+    {
+      "id": "171-3.13.3",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 3,
+      "title": "Separate user functionality from system management functionality",
+      "description": "Separate user functionality from information system management functionality.",
+      "discussion": "System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is either physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate.",
+      "nist_800_53_controls": ["SC-2"],
+      "cmmc_practice_id": "SC.L2-3.13.3",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "System architecture showing user/admin separation, network segmentation documentation, virtualization configuration"
+    },
+    {
+      "id": "171-3.13.4",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 4,
+      "title": "Prevent unauthorized and unintended information transfer via shared system resources",
+      "description": "Prevent unauthorized and unintended information transfer via shared system resources.",
+      "discussion": "The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disk) is also commonly referred to as object reuse and residual information protection. This requirement prevents information, including encrypted representations of information, produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles).",
+      "nist_800_53_controls": ["SC-4"],
+      "cmmc_practice_id": "SC.L2-3.13.4",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Object reuse configuration, memory clearing mechanisms, shared resource isolation documentation"
+    },
+    {
+      "id": "171-3.13.5",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 5,
+      "title": "Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks",
+      "description": "Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.",
+      "discussion": "Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.",
+      "nist_800_53_controls": ["SC-7"],
+      "cmmc_practice_id": "SC.L2-3.13.5",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "DMZ architecture diagrams, network segmentation documentation, firewall rules separating public/private networks"
+    },
+    {
+      "id": "171-3.13.6",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 6,
+      "title": "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)",
+      "description": "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).",
+      "discussion": "This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.",
+      "nist_800_53_controls": ["SC-7(5)"],
+      "cmmc_practice_id": "SC.L2-3.13.6",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Default-deny firewall configuration, network access control lists, traffic flow policy documentation"
+    },
+    {
+      "id": "171-3.13.7",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 7,
+      "title": "Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling)",
+      "description": "Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).",
+      "discussion": "Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling would, in effect, allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.",
+      "nist_800_53_controls": ["SC-7(7)"],
+      "cmmc_practice_id": "SC.L2-3.13.7",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Split tunneling prevention configuration, VPN client configuration, remote access policy"
+    },
+    {
+      "id": "171-3.13.8",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 8,
+      "title": "Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards",
+      "description": "Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.",
+      "discussion": "This requirement applies to both internal and external networks and all types of information system components from which CUI can be transmitted (e.g., servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.",
+      "nist_800_53_controls": ["SC-8", "SC-8(1)"],
+      "cmmc_practice_id": "SC.L2-3.13.8",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Encryption in transit configuration, TLS/IPSec configuration, FIPS-validated cryptography documentation"
+    },
+    {
+      "id": "171-3.13.9",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 9,
+      "title": "Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity",
+      "description": "Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.",
+      "discussion": "This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating-system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection.",
+      "nist_800_53_controls": ["SC-10"],
+      "cmmc_practice_id": "SC.L2-3.13.9",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Session timeout configuration, network connection termination settings, idle timeout policy"
+    },
+    {
+      "id": "171-3.13.10",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 10,
+      "title": "Establish and manage cryptographic keys for cryptography employed in organizational systems",
+      "description": "Establish and manage cryptographic keys for cryptography employed in organizational systems.",
+      "discussion": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, directives, policies, regulations, standards, and guidance specifying appropriate options, levels, and parameters.",
+      "nist_800_53_controls": ["SC-12"],
+      "cmmc_practice_id": "SC.L2-3.13.10",
+      "priority": "high",
+      "automation_level": "partial",
+      "evidence_required": "Key management policy, key lifecycle documentation, key storage mechanisms, key rotation schedule"
+    },
+    {
+      "id": "171-3.13.11",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 11,
+      "title": "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI",
+      "description": "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.",
+      "discussion": "Cryptography can be employed to support many security solutions including the protection of CUI, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-2 (as amended) or FIPS 140-3 requirements.",
+      "nist_800_53_controls": ["SC-13"],
+      "cmmc_practice_id": "SC.L2-3.13.11",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "FIPS 140-2/140-3 validated module certificates, cryptographic module inventory, FIPS mode configuration"
+    },
+    {
+      "id": "171-3.13.12",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 12,
+      "title": "Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device",
+      "description": "Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.",
+      "discussion": "Collaborative computing devices include networked white boards, cameras, and microphones. Indication of use includes signals to users when collaborative computing devices are activated. Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded.",
+      "nist_800_53_controls": ["SC-15"],
+      "cmmc_practice_id": "SC.L2-3.13.12",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Collaborative device policy, remote activation prevention configuration, device indicator documentation"
+    },
+    {
+      "id": "171-3.13.13",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 13,
+      "title": "Control and monitor the use of mobile code",
+      "description": "Control and monitor the use of mobile code.",
+      "discussion": "Decisions regarding the employment of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices.",
+      "nist_800_53_controls": ["SC-18"],
+      "cmmc_practice_id": "SC.L2-3.13.13",
+      "priority": "medium",
+      "automation_level": "auto",
+      "evidence_required": "Mobile code policy, browser security configuration, mobile code restrictions, content filtering configuration"
+    },
+    {
+      "id": "171-3.13.14",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 14,
+      "title": "Control and monitor the use of Voice over Internet Protocol (VoIP) technologies",
+      "description": "Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.",
+      "discussion": "VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS). In contrast, POTS is more reliable in terms of quality of service and availability, especially during power outages. VoIP security considerations include restricting VoIP traffic to a dedicated VLAN, implementing traffic encryption, and validating that firewalls support VoIP traffic.",
+      "nist_800_53_controls": ["SC-19"],
+      "cmmc_practice_id": "SC.L2-3.13.14",
+      "priority": "low",
+      "automation_level": "partial",
+      "evidence_required": "VoIP security policy, VoIP network configuration, VLAN segmentation for VoIP, VoIP encryption settings"
+    },
+    {
+      "id": "171-3.13.15",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 15,
+      "title": "Protect the authenticity of communications sessions",
+      "description": "Protect the authenticity of communications sessions.",
+      "discussion": "Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session level rather than at the packet level (e.g., sessions in service-oriented architectures providing web-based services).",
+      "nist_800_53_controls": ["SC-23"],
+      "cmmc_practice_id": "SC.L2-3.13.15",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Session authentication mechanism documentation, TLS mutual authentication configuration, session integrity controls"
+    },
+    {
+      "id": "171-3.13.16",
+      "family": "System and Communications Protection",
+      "family_code": "3.13",
+      "requirement_number": 16,
+      "title": "Protect the confidentiality of CUI at rest",
+      "description": "Protect the confidentiality of CUI at rest.",
+      "discussion": "Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protecting CUI at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning.",
+      "nist_800_53_controls": ["SC-28"],
+      "cmmc_practice_id": "SC.L2-3.13.16",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Data-at-rest encryption configuration, disk encryption documentation, database encryption settings, FIPS-validated module evidence"
+    },
+    {
+      "id": "171-3.14.1",
+      "family": "System and Information Integrity",
+      "family_code": "3.14",
+      "requirement_number": 1,
+      "title": "Identify, report, and correct system flaws in a timely manner",
+      "description": "Identify, report, and correct information and information system flaws in a timely manner.",
+      "discussion": "Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling.",
+      "nist_800_53_controls": ["SI-2"],
+      "cmmc_practice_id": "SI.L2-3.14.1",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Patch management policy, patch deployment records, flaw remediation tracking, vulnerability scan results"
+    },
+    {
+      "id": "171-3.14.2",
+      "family": "System and Information Integrity",
+      "family_code": "3.14",
+      "requirement_number": 2,
+      "title": "Provide protection from malicious code at designated locations within organizational systems",
+      "description": "Provide protection from malicious code at appropriate locations within organizational information systems.",
+      "discussion": "Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats, be contained within compressed or hidden files, or hidden in files using steganography.",
+      "nist_800_53_controls": ["SI-3"],
+      "cmmc_practice_id": "SI.L2-3.14.2",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Anti-malware solution deployment, malware protection configuration, malware signature update schedule, scan results"
+    },
+    {
+      "id": "171-3.14.3",
+      "family": "System and Information Integrity",
+      "family_code": "3.14",
+      "requirement_number": 3,
+      "title": "Monitor system security alerts and advisories and take action in response",
+      "description": "Monitor system security alerts and advisories and take action in response.",
+      "discussion": "There are many publicly available sources of system security alerts and advisories. Examples include the United States Computer Emergency Readiness Team (US-CERT), the National Vulnerability Database (NVD), and vendor-specific security advisories. Organizations should be particularly vigilant with respect to security advisories and alerts that affect their specific system configurations.",
+      "nist_800_53_controls": ["SI-5"],
+      "cmmc_practice_id": "SI.L2-3.14.3",
+      "priority": "medium",
+      "automation_level": "partial",
+      "evidence_required": "Security advisory monitoring process, alert subscription evidence, response action records"
+    },
+    {
+      "id": "171-3.14.4",
+      "family": "System and Information Integrity",
+      "family_code": "3.14",
+      "requirement_number": 4,
+      "title": "Update malicious code protection mechanisms when new releases are available",
+      "description": "Update malicious code protection mechanisms when new releases are available.",
+      "discussion": "Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code.",
+      "nist_800_53_controls": ["SI-3"],
+      "cmmc_practice_id": "SI.L2-3.14.4",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Anti-malware update configuration, signature update logs, automatic update policy settings"
+    },
+    {
+      "id": "171-3.14.5",
+      "family": "System and Information Integrity",
+      "family_code": "3.14",
+      "requirement_number": 5,
+      "title": "Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed",
+      "description": "Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.",
+      "discussion": "Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats, be contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can also be transmitted as part of an incoming electronic mail message or during web browsing.",
+      "nist_800_53_controls": ["SI-3"],
+      "cmmc_practice_id": "SI.L2-3.14.5",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Periodic scan schedule, real-time protection configuration, scan result logs, external source scanning policy"
+    },
+    {
+      "id": "171-3.14.6",
+      "family": "System and Information Integrity",
+      "family_code": "3.14",
+      "requirement_number": 6,
+      "title": "Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks",
+      "description": "Monitor organizational information systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.",
+      "discussion": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary. Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions.",
+      "nist_800_53_controls": ["SI-4"],
+      "cmmc_practice_id": "SI.L2-3.14.6",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "IDS/IPS configuration, network monitoring tools, SIEM integration, traffic analysis reports, alerting configuration"
+    },
+    {
+      "id": "171-3.14.7",
+      "family": "System and Information Integrity",
+      "family_code": "3.14",
+      "requirement_number": 7,
+      "title": "Identify unauthorized use of organizational systems",
+      "description": "Identify unauthorized use of organizational information systems.",
+      "discussion": "System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software).",
+      "nist_800_53_controls": ["SI-4"],
+      "cmmc_practice_id": "SI.L2-3.14.7",
+      "priority": "high",
+      "automation_level": "auto",
+      "evidence_required": "Unauthorized use detection mechanisms, user behavior analytics, anomaly detection configuration, unauthorized access alerts"
+    }
+  ]
+}