CMMC Level 2 — Compliance Overview
CMMC Level 2 requires implementation of 110 NIST SP 800-171 Rev 2 practices across 14 control families. This report maps Rockfish NDR evidence to the network-relevant controls. Controls marked <b>Monitored</b> have automated evidence from network telemetry. Controls marked <b>Partial</b> have supporting data but require additional organizational processes. Controls marked <b>Manual</b> require policy documentation outside NDR scope.
NIST 800-171 Control Mapping
Network-relevant controls from NIST SP 800-171 Rev 2 mapped to Rockfish NDR evidence sources. Each control shows the evidence type and current monitoring status.
| Control | Family | Requirement | Evidence Source | Status |
|---|---|---|---|---|
| 3.1.1 | Access Control | Limit system access to authorized users | Flow records, connection pairs | Monitored |
| 3.1.2 | Access Control | Limit system access to authorized functions | Port/protocol analysis, app identification | Monitored |
| 3.1.3 | Access Control | Control the flow of CUI per authorizations | Flow orientation (ii/ie/ei/ee), boundary monitoring | Monitored |
| 3.1.5 | Access Control | Employ least privilege | Port/service enumeration per host | Partial |
| 3.1.12 | Access Control | Monitor and control remote access sessions | External connection tracking, VPN/RDP detection | Monitored |
| 3.1.14 | Access Control | Route remote access via managed access control points | Flow orientation, boundary traversal analysis | Monitored |
| 3.3.1 | Audit & Accountability | Create and retain system audit records | Flow, alert, DNS, TLS Parquet records | Monitored |
| 3.3.2 | Audit & Accountability | Ensure traceability of user actions | Timestamped flows with src/dst, port, protocol | Monitored |
| 3.3.3 | Audit & Accountability | Review and update logged events | Automated report generation, scheduled reports | Monitored |
| 3.3.4 | Audit & Accountability | Alert on audit logging process failures | Probe health monitoring, data gap detection | Partial |
| 3.3.5 | Audit & Accountability | Correlate audit record review and reporting | NDR report dashboard, cross-source correlation | Monitored |
| 3.4.1 | Config Management | Establish and maintain baseline configs | Device inventory, baseline deviation detection | Partial |
| 3.4.9 | Config Management | Control and monitor user-installed software | nDPI application identification, port scanning | Monitored |
| 3.6.1 | Incident Response | Establish incident-handling capability | IDS alerts, MITRE ATT&CK mapping, threat findings | Monitored |
| 3.6.2 | Incident Response | Track, document, and report incidents | Alert timeline, severity tracking, hunt findings | Monitored |
| 3.11.2 | Risk Assessment | Scan for vulnerabilities periodically | nDPI risk scoring, anomaly detection | Partial |
| 3.11.3 | Risk Assessment | Remediate vulnerabilities per assessments | Threat findings with severity, IP reputation scores | Partial |
| 3.13.1 | System & Comms Protection | Monitor and protect communications at boundaries | Flow orientation, boundary traffic analysis | Monitored |
| 3.13.2 | System & Comms Protection | Employ architectural designs to protect CUI | Network graph, subnet segmentation analysis | Partial |
| 3.13.5 | System & Comms Protection | Implement subnetworks for publicly accessible components | Flow orientation, VLAN tracking, subnet analysis | Monitored |
| 3.13.6 | System & Comms Protection | Deny network traffic by default | Blocked flow detection, firewall rule evidence | Partial |
| 3.13.8 | System & Comms Protection | Implement cryptographic mechanisms for CUI in transit | TLS version compliance, encryption analysis | Monitored |
| 3.13.11 | System & Comms Protection | Employ FIPS-validated cryptography | TLS 1.2+ enforcement, cipher suite analysis | Monitored |
| 3.13.15 | System & Comms Protection | Protect authenticity of communications sessions | JA4 fingerprinting, TLS certificate validation | Monitored |
| 3.14.1 | System & Info Integrity | Identify, report, and correct system flaws | IDS alerts, nDPI risk scoring | Monitored |
| 3.14.2 | System & Info Integrity | Provide protection from malicious code | Suricata signature matching, threat detection | Monitored |
| 3.14.3 | System & Info Integrity | Monitor security alerts and advisories | IP reputation, threat intel integration | Monitored |
| 3.14.6 | System & Info Integrity | Monitor organizational systems | Continuous flow capture, anomaly detection, beaconing | Monitored |
| 3.14.7 | System & Info Integrity | Identify unauthorized use of systems | Behavioral anomalies, new connection pairs, DGA detection | Monitored |
Evidence Detail
AU — Audit Record Coverage
Volume of audit records by event type during the reporting period (NIST 3.3.1, 3.3.2).
| Event Type | Records | % |
|---|---|---|
| Flow Records | 1,482,391 | 45.6 |
| DNS Queries | 1,023,847 | 31.5 |
| TLS Sessions | 578,416 | 17.8 |
| IDS Alerts | 8,655 | 0.3 |
SC — Encryption Compliance (TLS)
TLS version distribution across encrypted connections. NIST 3.13.8 and 3.13.11 require FIPS-validated cryptography — TLS 1.2+ with approved cipher suites satisfies this requirement.
| TLS Version | Connections | % |
|---|---|---|
| TLSv1.3 | 412,847 | 71.4 |
| TLSv1.2 | 148,293 | 25.6 |
| TLSv1.1 | 12,384 | 2.1 |
| TLSv1.0 | 4,892 | 0.9 |
SC — Network Boundary Monitoring
Traffic flow orientation showing internal/external boundary crossings. Evidences NIST 3.13.1 (boundary monitoring) and 3.1.3 (CUI flow control).
| Direction | Flows | Traffic (GB) | Sources | Destinations |
|---|---|---|---|---|
| ii | 842,193 | 284.70 | 187 | 203 |
| ie | 384,712 | 142.30 | 164 | 4,847 |
| ei | 218,493 | 87.60 | 2,384 | 82 |
| ee | 36,993 | 8.20 | 847 | 1,203 |
SI — Intrusion Detection
IDS alert distribution by severity. Evidences NIST 3.14.1 (flaw identification), 3.14.2 (malicious code protection), 3.14.6 (system monitoring), 3.14.7 (unauthorized use detection).
| Severity | Alerts | Sources | Targets | % |
|---|---|---|---|---|
| Critical | 23 | 7 | 12 | 0.3 |
| High | 847 | 42 | 128 | 9.8 |
| Medium | 4,892 | 187 | 634 | 56.5 |
| Low | 2,893 | 124 | 412 | 33.4 |
IR — Incident Categories
Alert categories mapped for incident handling (NIST 3.6.1, 3.6.2).
| Category | Incidents | Max Severity | Affected Hosts |
|---|---|---|---|
| Attempted Information Leak | 2,184 | Critical | 47 |
| A Network Trojan was Detected | 847 | Critical | 12 |
| Potentially Bad Traffic | 1,892 | High | 89 |
| Misc Attack | 1,247 | High | 34 |
| Attempted Administrator Privilege Gain | 384 | Critical | 8 |
| Policy Violation | 892 | High | 67 |
| Potential Corporate Privacy Violation | 472 | High | 42 |
| Attempted Denial of Service | 247 | High | 6 |
| Web Application Attack | 312 | High | 18 |
| Not Suspicious Traffic | 178 | Low | 124 |
Gap Analysis
CMMC Level 2 includes 110 total practices. The controls below are outside NDR scope and require organizational policy, physical security, or HR processes.
| Family | Controls | Requirement | Status |
|---|---|---|---|
| AT — Awareness & Training | 3.2.1–3.2.3 | Security awareness training, role-based training programs | Out of Scope |
| IA — Identification & Authentication | 3.5.1–3.5.11 | Multi-factor auth, password policies, identity management | Out of Scope |
| MA — Maintenance | 3.7.1–3.7.6 | System maintenance procedures, maintenance tools, remote maintenance | Out of Scope |
| MP — Media Protection | 3.8.1–3.8.9 | CUI media handling, sanitization, transport, storage, marking | Out of Scope |
| PE — Physical Protection | 3.10.1–3.10.6 | Facility access, visitor management, physical access logs | Out of Scope |
| PS — Personnel Security | 3.9.1–3.9.2 | Personnel screening, CUI access on termination/transfer | Out of Scope |