![University of Hawaiʻi at Mānoa](/its/template/system_2019/images/uh-nameplate.png")
University of Hawaiʻi System
Cybersecurity Maturity Model Certification 2.0
Last Updated 2022-07-15
ITS Minimum Security Standards Mapping by CMMC 2.0 Levels 1 & 2
ITS has performed analysis mapping the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) Levels 1 & 2 requirements against the ITS Minimum Security Standards (MSS).
Please visit the specific ITS MSS device type (Endpoints, Servers, Multi-Function Devices) for any additional guidance.
The ITS MSS listed in the tables are abstracted from the Center for Internet Security's (CIS) Controls, which are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The standards listed are selected based on its applicability to the University of Hawaiʻi.
- When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
- When comparing Standards, Acts, or Policies to the ITS Minimum Security Standards, the more stringent standard takes precedence.
- Standard, Act, or Policy requirements still apply when there is no equivalent ITS Minimum Security Standard.
Please note that the ITS Minimum Security Standard (MSS) mappings are designed as a starting point for implementing their respective Standard, Act, or Policy and are not an indication of compliance. Mappings are selected based on relativity and may differ in implementation based on device type.
ITS Minimum Security Standards Mapping by CMMC 2.0 Levels 1 & 2 |
||||||
|---|---|---|---|---|---|---|
| # | Standards |
CMMC 2.0 Controls MappingLevels 1 & 2 |
||||
| Automatic Updates / Patching | Level 1 | Level 2 | ||||
| Enable automatic updates for operating systems and software if possible. | ||||||
| Install standard operating system and software security patches on a monthly basis for servers and networking devices. | ||||||
| Ensure operating systems and software are fully supported by the vendor. End-of-life software and operating systems do not receive security updates. | ||||||
| Firewall Configuration | Level 1 | Level 2 | ||||
| Configure and manage a host based firewall or a network firewall device with a default deny-all policy. Only necessary services should be allowed through the firewall. | ||||||
| Password Security | Level 1 | Level 2 | ||||
| Ensure that all devices have strong and unique password protected individual logins for all local and remote accounts. | ||||||
| Ensure that all web applications have strong and unique password protected individual logins for administrative accounts. | ||||||
| Data Management | Level 1 | Level 2 | ||||
| Utilize the University's records management process for . | ||||||
| Securely dispose of Institutional Data following our Disposal Guidelines. | ||||||
| Use Spirion to scan for sensitive and regulated information on a monthly basis. | ||||||
| Encryption | Level 1 | Level 2 | ||||
| Ensure that data is encrypted with a secure encryption algorithm while in transit. | ||||||
| Ensure that files containing Sensitive and Regulated data stored on servers, applications, databases, and removable media are encrypted or stored in an encrypted file container such as Veracrypt. | ||||||
| Utilize 糖心Vlog官方 Enterprise Dropbox to store Sensitive and Regulated data online. | ||||||
| Asset Management | Level 1 | Level 2 | ||||
| Complete the Annual Device Registration. | ||||||
| Maintain an updated inventory of all software and hardware assets. | ||||||
| Ensure that hardware and software assets are actively receiving security updates. | ||||||
| Review asset lists on a monthly basis. Remove or replace unauthorized and end-of-life assets if possible. | ||||||
| Data Inventory | Level 1 | Level 2 | ||||
| Complete the annual Personal Information Survey (PIS). | ||||||
| Removable Media | Level 1 | Level 2 | ||||
| Disable autorun / autoplay for removable media. | ||||||
| Malware Protection | Level 1 | Level 2 | ||||
| Install and enable an anti-malware solution. | ||||||
| Ensure automatic anti-malware signature updates are enabled. | ||||||
| Enable anti-exploitation features. | ||||||
| Session Locking / Session Timeout | Level 1 | Level 2 | ||||
| Configure a maximum 15 minute session timeout for system access and remote access protocols (SSH, RDP, etc.). | ||||||
| Backups | Level 1 | Level 2 | ||||
| Maintain an offline, off-site, or cloud-based backup instance. | ||||||
| Ensure backups are encrypted. | ||||||
| Perform automatic backups of systems on at least a weekly basis. | ||||||
| Multi-Factor Authentication | Level 1 | Level 2 | ||||
| Enable multi-factor authentication to access externally-exposed applications, remote network access, and administrative access where possible. | ||||||
| Utilize 糖心Vlog官方 login for compatible web application logins. | ||||||
| Centralized Logging | Level 1 | Level 2 | ||||
| Deploy a centralized log management system for servers and aggregate logs. | ||||||
| Retain centralized logs for at least 90 days. Adequate log storage must be accounted for. | ||||||
| Review centralized audit logs on a weekly basis. | ||||||
| Secure Access | Level 1 | Level 2 | ||||
| Access applications and manage software over a secure encrypted connection (SSH, HTTPS, etc.). | ||||||
| Limit access to MFDs and IoT devices by authorized IPs if possible. | ||||||
| Secure Configuration | Level 1 | Level 2 | ||||
| Ensure that servers and network devices are configured following industry security best practices. CIS Configuration Guides are recommended. Configuration scripts are available upon request. | ||||||
| Uninstall or disable unnecessary and unused services on servers and network devices. | ||||||
| Event Logging | Level 1 | Level 2 | ||||
| Enable logging of system, security, and application events. | ||||||
| Retain logs for at least 90 days. Adequate log storage must be accounted for. | ||||||
| Review audit logs on a weekly basis. | ||||||
| Network Security | Level 1 | Level 2 | ||||
| Utilize network segmentation to address least privilege by isolating personal, untrusted, and IoT devices from critical services. | ||||||
| Maintain network diagrams. | ||||||
| Utilize Wi-Fi Protected Access 2 (WPA2) with AES-128 or greater and a strong password for wireless networks. | ||||||
| Access Control | Level 1 | Level 2 | ||||
| Maintain an updated access control list of user roles, accounts and permissions for local/remote file systems, databases, and applications. | ||||||
| Grant access and apply access privileges to systems and services on a need to know basis. | ||||||
| Revoke privileges to systems and services upon employee termination, rights revocation, or role change. | ||||||
| Account Management | Level 1 | Level 2 | ||||
| Restrict administrator privileges to individually dedicated administrator accounts. | ||||||
| Remove dormant accounts (45 days of inactivity). | ||||||
| Disable default system and software accounts or make them unusable. | ||||||
| Review account privileges and permissions quarterly. | ||||||
| Vulnerability Scanning | Level 1 | Level 2 | ||||
| 糖心Vlog官方 Vulnerability Scan SitePerform vulnerability scans using or Nessus Agents on a monthly basis. | ||||||
| Remediate all High and Critical severity vulnerabilities within 7 days. | ||||||
Sources:
- CMMC 2.0 Controls Mapping:
- CMMC 2.0 Main Page:
- CMMC 2.0 Model:
- CMMC 2.0 FAQs:
- Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:
- NIST Special Publication 800-171 Revision 2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf