CMMC Compliance Report

Generated November 16, 2025 at 4:48 PM | Account: 1234567890
68%

Automated Check Score

127
Total Controls
28
Passed
13
Failed

⚠️ Important: Automated Technical Checks Only

This report shows 41 automated technical checks out of 127 total controls. The 68.3% score represents automated infrastructure checks only.

✓ Automated Checks (41 controls)

  • Infrastructure configurations
  • Access control policies
  • Encryption settings
  • Network security rules
  • Logging and monitoring

✗ Manual Documentation Required (86 controls)

  • Organizational policies
  • Training records
  • Incident response plans
  • Third-party assessments
  • Business processes

Full compliance requires:

⚠️ THIS TOOL DOES NOT PROVIDE CERTIFICATION. Formal assessment by qualified auditor is required.

Executive Summary

Your AWS environment needs improvement with a compliance score of 68.3%. Out of 127 controls evaluated, 28 passed and 13 failed. Immediate action is required on 0 critical issues to achieve compliance.

Top Priority Actions

1. Enable continuous compliance monitoring
2. Document your security policies and procedures
3. Set up automated alerting for security events
4. Schedule quarterly access reviews

Control Details

1. [AC.L1-3.1.2] Security Control
FAIL
Issue: No custom IAM policies - relying on AWS managed policies only
$ Create custom IAM policies to restrict access appropriately
Evidence Collection Guide
  • AWS Console → IAM → Policies → Create policy → Screenshot custom policies
Open Console →
2. [IA.L1-3.5.2] Security Control
FAIL
Issue: Only 0/2 users have MFA enabled
$ Enable MFA for all IAM users
Evidence Collection Guide
  • AWS Console → IAM → Users → Security credentials → Screenshot MFA devices
Open Console →
3. [SC.L1-3.13.1] Security Control
FAIL
Issue: 1 security groups allow unrestricted access: sg-0ab56571076bcff37
$ Restrict security group rules to specific IP ranges
Evidence Collection Guide
  • AWS Console → VPC → Security Groups → Screenshot showing restricted inbound rules
Open Console →
4. [AC.L2-3.1.3] Security Control
FAIL
Issue: No custom IAM policies to control information flow
$ Create IAM policies that enforce information flow controls
Evidence Collection Guide
  • AWS Console → IAM → Policies → Create policies → Screenshot
Open Console →
5. [AU.L2-3.3.1] Security Control
FAIL
Issue: No CloudTrail trails configured
$ Enable CloudTrail with multi-region trail
Evidence Collection Guide
  • AWS Console → CloudTrail → Create trail → Screenshot
Open Console →
6. [AU.L2-3.3.2] Security Control
FAIL
Issue: CloudTrail not configured to capture required audit content
$ Enable CloudTrail with management events
Evidence Collection Guide
  • AWS Console → CloudTrail → Event selectors → Screenshot
Open Console →
7. [AU.L2-3.3.8] Security Control
FAIL
Issue: CloudTrail not configured with log file validation
$ Enable CloudTrail log file integrity validation
Evidence Collection Guide
  • AWS Console → CloudTrail → Log file validation → Screenshot
Open Console →
8. [IA.L2-3.5.3] Security Control
FAIL
Issue: Only 0/2 users have MFA
$ Require MFA for all user accounts
Evidence Collection Guide
  • AWS Console → IAM → Users → Enable MFA → Screenshot
Open Console →
9. [IA.L2-3.5.7] Security Control
FAIL
Issue: No password policy configured
$ Configure IAM password policy with 14+ characters and complexity requirements
Evidence Collection Guide
  • AWS Console → IAM → Account settings → Set password policy → Screenshot
Open Console →
10. [IA.L2-3.5.8] Security Control
FAIL
Issue: No password policy configured
$ Configure IAM password policy to prevent reuse
Evidence Collection Guide
  • AWS Console → IAM → Account settings → Password reuse prevention → Screenshot
Open Console →
11. [IA.L2-3.5.9] Security Control
FAIL
Issue: No password policy configured
$ Configure password expiration policy
Evidence Collection Guide
  • AWS Console → IAM → Account settings → Password expiration → Screenshot
Open Console →
12. [AU.L2-3.3.4] Security Control
FAIL
Issue: CloudTrail not configured with failure alerting
$ Configure CloudWatch alarms for CloudTrail delivery failures
Evidence Collection Guide
  • AWS Console → CloudWatch → Alarms → Screenshot CloudTrail failure alarms
Open Console →
13. [SC.L2-3.13.10] Security Control
FAIL
Issue: No KMS keys configured for cryptographic operations
$ Create KMS keys for encryption at rest and in transit
Evidence Collection Guide
  • AWS Console → KMS → Create key → Screenshot
Open Console →
1. [AC.L1-3.1.1] Security Control
PASS
IAM access control configured with 2 users
2. [IA.L1-3.5.1] Security Control
PASS
All 2 IAM users have unique identities
3. [SC.L1-3.13.16] Security Control
PASS
All 1 S3 buckets have encryption enabled
4. [SC.L1-3.13.11] Security Control
PASS
AWS KMS uses FIPS 140-2 validated cryptographic modules
5. [AC.L2-3.1.6] Security Control
PASS
Least privilege implemented (1 admin users)
6. [SC.L2-3.13.8] Security Control
PASS
AWS services use TLS 1.2+ for data in transit
7. [SC.L2-3.13.16] Security Control
PASS
AWS encryption services protect data at rest
8. [AC.L2-3.1.7] Security Control
PASS
Separation of duties implemented with 2 users
9. [AC.L2-3.1.16] Security Control
PASS
Access controls configured for remote/wireless access
10. [AC.L2-3.1.18] Security Control
PASS
Network controls configured with 1 VPCs
11. [AC.L2-3.1.19] Security Control
PASS
AWS enforces encryption for data in transit and at rest
12. [AC.L2-3.1.20] Security Control
PASS
External connections controlled via 2 security groups
13. [CM.L2-3.4.7] Security Control
PASS
Configuration change restrictions configured via IAM (2 users)
14. [IA.L2-3.5.10] Security Control
PASS
AWS IAM stores passwords using cryptographic hashing
15. [IA.L2-3.5.11] Security Control
PASS
AWS IAM login feedback does not reveal sensitive information
16. [MP.L2-3.8.7] Security Control
PASS
S3 enforces encryption in transit for 1 buckets
17. [MP.L2-3.8.8] Security Control
PASS
All 1 S3 buckets have public access blocked
18. [SC.L2-3.13.16] Security Control
PASS
Encryption at rest configured for 1 S3 buckets
19. [AC.L2-3.1.4] Security Control
PASS
Network separation implemented with 2 security groups
20. [AC.L2-3.1.5] Security Control
PASS
Least privilege principles implemented in IAM policies
21. [AC.L2-3.1.13] Security Control
PASS
AWS enforces TLS encryption for all remote access sessions
22. [AU.L2-3.3.10] Security Control
PASS
AWS automatically synchronizes system clocks using NTP
23. [IA.L2-3.5.4] Security Control
PASS
AWS IAM uses time-based tokens and nonces to prevent replay attacks
24. [SC.L2-3.13.2] Security Control
PASS
Network segmentation implemented with 1 VPCs
25. [SC.L2-3.13.5] Security Control
PASS
AWS services use cryptographic mechanisms to prevent unauthorized disclosure during transmission
26. [SC.L2-3.13.9] Security Control
PASS
Cryptographic session management configured with 0 KMS keys
27. [SC.L2-3.13.11] Security Control
PASS
AWS KMS and other AWS cryptographic services use FIPS 140-2 validated modules
28. [SC.L2-3.13.15] Security Control
PASS
AWS services use digital signatures and TLS to protect communications authenticity
1. [MP.L1-3.8.3] Security Control
MANUAL
Documentation Required: MANUAL: Document media sanitization procedures for EBS volumes and S3 objects
Evidence Collection Guide
  • Documentation → Screenshot showing media sanitization procedures | AWS Console → S3 → Lifecycle rules
View in Console →
2. [PE.L1-3.10.1] Security Control
MANUAL
Documentation Required: MANUAL: AWS data centers have physical controls (inherited control)
Evidence Collection Guide
  • AWS Artifact → Screenshot SOC 2 report showing physical controls
View in Console →
3. [PE.L1-3.10.3] Security Control
MANUAL
Documentation Required: MANUAL: AWS data centers escort visitors (inherited control)
Evidence Collection Guide
  • AWS Artifact → Screenshot showing visitor management procedures
View in Console →
4. [PE.L1-3.10.4] Security Control
MANUAL
Documentation Required: MANUAL: AWS maintains physical access logs (inherited control)
Evidence Collection Guide
  • AWS Artifact → Screenshot showing physical access logging
View in Console →
5. [PE.L1-3.10.5] Security Control
MANUAL
Documentation Required: MANUAL: AWS controls physical access devices (inherited control)
Evidence Collection Guide
  • AWS Artifact → Screenshot showing physical access device management
View in Console →
6. [PS.L1-3.9.1] Security Control
MANUAL
Documentation Required: MANUAL: Document personnel screening procedures for CUI access
Evidence Collection Guide
  • HR Documentation → Screenshot showing personnel screening procedures and background check records
View in Console →
7. [PS.L1-3.9.2] Security Control
MANUAL
Documentation Required: MANUAL: Document authorization process for CUI access
Evidence Collection Guide
  • Documentation → Screenshot showing CUI access authorization procedures and approval records
View in Console →
8. [SI.L1-3.14.1] Security Control
MANUAL
Documentation Required: MANUAL: Document flaw identification and remediation processes
Evidence Collection Guide
  • AWS Console → Systems Manager → Patch Manager → Screenshot compliance dashboard
View in Console →
9. [SI.L1-3.14.2] Security Control
MANUAL
Documentation Required: MANUAL: Document malicious code protection mechanisms
Evidence Collection Guide
  • AWS Console → GuardDuty → Screenshot showing malware detection enabled
View in Console →
10. [SI.L1-3.14.4] Security Control
MANUAL
Documentation Required: MANUAL: Document malicious code protection update procedures
Evidence Collection Guide
  • AWS Console → GuardDuty → Settings → Screenshot showing automatic updates enabled
View in Console →
11. [CM.L2-3.4.1] Security Control
MANUAL
Documentation Required: MANUAL: Document baseline configurations for AWS infrastructure
Evidence Collection Guide
  • AWS Console → Config → Rules → Screenshot baseline configuration rules
View in Console →
12. [IR.L2-3.6.1] Security Control
MANUAL
Documentation Required: MANUAL: Document incident response plan and procedures
Evidence Collection Guide
  • Documentation → Screenshot incident response plan | AWS Security Hub → Screenshot incident management
View in Console →
13. [MP.L2-3.8.9] Security Control
MANUAL
Documentation Required: MANUAL: Verify backup encryption and access controls
Evidence Collection Guide
  • AWS Console → Backup → Vaults → Screenshot encryption enabled
View in Console →
14. [RA.L2-3.11.2] Security Control
MANUAL
Documentation Required: MANUAL: Document vulnerability scanning procedures
Evidence Collection Guide
  • AWS Console → Inspector → Screenshot vulnerability scans
View in Console →
15. [SI.L2-3.14.6] Security Control
MANUAL
Documentation Required: MANUAL: Verify VPC Flow Logs and GuardDuty enabled
Evidence Collection Guide
  • AWS Console → VPC → Flow Logs → Screenshot | GuardDuty → Screenshot
View in Console →
16. [SI.L2-3.14.7] Security Control
MANUAL
Documentation Required: MANUAL: Document unauthorized use detection mechanisms
Evidence Collection Guide
  • AWS Console → GuardDuty → Screenshot findings | Security Hub → Screenshot
View in Console →
17. [AC.L2-3.1.12] Security Control
MANUAL
Documentation Required: MANUAL: Verify session timeout policies configured
Evidence Collection Guide
  • AWS Console → IAM → Account settings → Screenshot session duration
View in Console →
18. [AU.L2-3.3.3] Security Control
MANUAL
Documentation Required: MANUAL: Document audit log review procedures
Evidence Collection Guide
  • Documentation → Screenshot audit review procedures | CloudTrail → Screenshot log analysis
View in Console →
19. [AU.L2-3.3.5] Security Control
MANUAL
Documentation Required: MANUAL: Verify audit record correlation across systems
Evidence Collection Guide
  • AWS Console → CloudWatch → Insights → Screenshot log correlation
View in Console →
20. [AU.L2-3.3.7] Security Control
MANUAL
Documentation Required: MANUAL: Document audit log reduction and analysis procedures
Evidence Collection Guide
  • AWS Console → CloudWatch → Insights → Screenshot analysis tools
View in Console →
21. [CM.L2-3.4.2] Security Control
MANUAL
Documentation Required: MANUAL: Verify systems configured with least functionality
Evidence Collection Guide
  • AWS Console → Organizations → SCPs → Screenshot service restrictions
View in Console →
22. [IR.L2-3.6.2] Security Control
MANUAL
Documentation Required: MANUAL: Document incident response training for personnel
Evidence Collection Guide
  • Documentation → Screenshot training records | LMS → Screenshot completion certificates
View in Console →
23. [IR.L2-3.6.3] Security Control
MANUAL
Documentation Required: MANUAL: Document incident response testing procedures
Evidence Collection Guide
  • Documentation → Screenshot testing procedures | Test results → Screenshot exercise outcomes
View in Console →
24. [MA.L2-3.7.1] Security Control
MANUAL
Documentation Required: MANUAL: Document system maintenance procedures
Evidence Collection Guide
  • AWS Console → Systems Manager → Maintenance windows → Screenshot
View in Console →
25. [MA.L2-3.7.5] Security Control
MANUAL
Documentation Required: MANUAL: Document maintenance tool controls
Evidence Collection Guide
  • AWS Console → Systems Manager → Session Manager → Screenshot access controls
View in Console →
26. [SC.L2-3.13.1] Security Control
MANUAL
Documentation Required: MANUAL: Verify VPC and security group boundary protection
Evidence Collection Guide
  • AWS Console → VPC → Screenshot network architecture | Security groups → Screenshot boundary controls
View in Console →
27. [PS.L2-3.9.1] Security Control
MANUAL
Documentation Required: MANUAL: Document position risk designations for CUI access
Evidence Collection Guide
  • HR Documentation → Screenshot position risk categories and CUI access levels
View in Console →
28. [PS.L2-3.9.2] Security Control
MANUAL
Documentation Required: MANUAL: Document formal sanctions process for security violations
Evidence Collection Guide
  • HR Documentation → Screenshot sanctions policy and violation procedures
View in Console →
29. [PS.L2-3.9.3] Security Control
MANUAL
Documentation Required: MANUAL: Document access termination procedures
Evidence Collection Guide
  • HR Documentation → Screenshot termination procedures | IAM → Screenshot user deactivation process
View in Console →
30. [PE.L2-3.10.1] Security Control
MANUAL
Documentation Required: AWS inherited control: AWS data centers limit physical access (verified via AWS Artifact)
Evidence Collection Guide
  • AWS Artifact → Screenshot SOC 2 report physical security section
View in Console →
31. [PE.L2-3.10.2] Security Control
MANUAL
Documentation Required: AWS inherited control: Physical access protection implemented at AWS facilities
Evidence Collection Guide
  • AWS Artifact → Screenshot physical protection controls documentation
View in Console →
32. [PE.L2-3.10.3] Security Control
MANUAL
Documentation Required: AWS inherited control: Visitor escort procedures at AWS data centers
Evidence Collection Guide
  • AWS Artifact → Screenshot visitor escort procedures
View in Console →
33. [PE.L2-3.10.4] Security Control
MANUAL
Documentation Required: AWS inherited control: Physical access logs maintained at AWS facilities
Evidence Collection Guide
  • AWS Artifact → Screenshot physical access logging documentation
View in Console →
34. [PE.L2-3.10.5] Security Control
MANUAL
Documentation Required: AWS inherited control: Physical access devices controlled at AWS facilities
Evidence Collection Guide
  • AWS Artifact → Screenshot access device controls
View in Console →
35. [PE.L2-3.10.6] Security Control
MANUAL
Documentation Required: AWS inherited control: Physical safeguarding mechanisms at AWS facilities
Evidence Collection Guide
  • AWS Artifact → Screenshot physical safeguarding mechanisms
View in Console →
36. [SI.L2-3.14.2] Security Control
MANUAL
Documentation Required: MANUAL: Verify malicious code protection deployed
Evidence Collection Guide
  • AWS Console → GuardDuty → Screenshot enabled | EC2 → Screenshot endpoint protection
View in Console →
37. [SI.L2-3.14.5] Security Control
MANUAL
Documentation Required: MANUAL: Verify spam protection configured for email systems
Evidence Collection Guide
  • Email system → Screenshot spam filtering configuration
View in Console →
38. [AC.L2-3.1.8] Security Control
MANUAL
Documentation Required: MANUAL: Configure account lockout after failed login attempts in authentication systems
Evidence Collection Guide
  • Directory Service/IdP → Account lockout policy → Screenshot showing 5 attempts / 30 min lockout
View in Console →
39. [AC.L2-3.1.9] Security Control
MANUAL
Documentation Required: MANUAL: Display appropriate privacy and security notices on systems processing CUI
Evidence Collection Guide
  • EC2 Instances → Login banner configuration → Screenshot security notice | Documentation → Screenshot privacy policy
View in Console →
40. [AC.L2-3.1.10] Security Control
MANUAL
Documentation Required: MANUAL: Implement session lock after 15 minutes of inactivity
Evidence Collection Guide
  • AWS Console → IAM → Account settings → Screenshot session timeout | Workstations → Screenshot screen lock policy
View in Console →
41. [AC.L2-3.1.11] Security Control
MANUAL
Documentation Required: MANUAL: Automatically terminate network connections after defined conditions
Evidence Collection Guide
  • AWS Console → IAM → Session policies → Screenshot termination rules | CloudWatch → Screenshot session monitoring
View in Console →
42. [AC.L2-3.1.14] Security Control
MANUAL
Documentation Required: MANUAL: Ensure all remote access routes through controlled access points (VPN/bastion hosts)
Evidence Collection Guide
  • AWS Console → VPC → VPN connections → Screenshot managed access points | EC2 → Bastion hosts → Screenshot
View in Console →
43. [AC.L2-3.1.15] Security Control
MANUAL
Documentation Required: MANUAL: Document authorization for remote command/script execution on CUI systems
Evidence Collection Guide
  • Documentation → Screenshot remote execution authorization policy | AWS Systems Manager → Screenshot Run Command logs
View in Console →
44. [AC.L2-3.1.17] Security Control
MANUAL
Documentation Required: MANUAL: Document authorization process for privileged functions and security-relevant information
Evidence Collection Guide
  • Documentation → Screenshot privileged access authorization policy | IAM → Screenshot admin role assignments
View in Console →
45. [AT.L2-3.2.1] Security Control
MANUAL
Documentation Required: MANUAL: Provide security awareness training to all personnel with access to CUI
Evidence Collection Guide
  • LMS/Training System → Screenshot training completion records | HR Documentation → Screenshot training policy
View in Console →
46. [AT.L2-3.2.2] Security Control
MANUAL
Documentation Required: MANUAL: Provide training on recognizing and reporting security threats
Evidence Collection Guide
  • Training System → Screenshot threat awareness modules | Security Metrics → Screenshot phishing test results
View in Console →
47. [AT.L2-3.2.3] Security Control
MANUAL
Documentation Required: MANUAL: Provide role-based security training before granting access to CUI systems
Evidence Collection Guide
  • Training System → Screenshot role-based training tracks | HR → Screenshot role-training matrix
View in Console →
48. [AT.L2-3.2.4] Security Control
MANUAL
Documentation Required: MANUAL: Update security awareness training content annually or when threats change
Evidence Collection Guide
  • Training System → Screenshot content update history | Documentation → Screenshot training review schedule
View in Console →
49. [AT.L2-3.2.5] Security Control
MANUAL
Documentation Required: MANUAL: Incorporate practical exercises in security awareness training
Evidence Collection Guide
  • Training System → Screenshot practical exercise modules | Security Metrics → Screenshot exercise participation rates
View in Console →
50. [AU.L2-3.3.6] Security Control
MANUAL
Documentation Required: MANUAL: Use CloudWatch Logs Insights for audit record analysis and reporting
Evidence Collection Guide
  • AWS Console → CloudWatch → Logs Insights → Screenshot query results | Dashboards → Screenshot audit metrics
View in Console →
51. [AU.L2-3.3.9] Security Control
MANUAL
Documentation Required: MANUAL: Verify CloudTrail logs are protected from unauthorized access and modification
Evidence Collection Guide
  • AWS Console → S3 → CloudTrail bucket → Object Lock → Screenshot | IAM → Screenshot restrictive bucket policies
View in Console →
52. [CA.L2-3.12.1] Security Control
MANUAL
Documentation Required: MANUAL: Conduct annual security control assessments of CUI systems
Evidence Collection Guide
  • Documentation → Screenshot assessment schedule and results | AWS Audit Manager → Screenshot assessment framework
View in Console →
53. [CA.L2-3.12.2] Security Control
MANUAL
Documentation Required: MANUAL: Maintain System Security Plans (SSP) for all systems processing CUI
Evidence Collection Guide
  • Documentation Repository → Screenshot SSP documents | Compliance Platform → Screenshot SSP templates
View in Console →
54. [CA.L2-3.12.3] Security Control
MANUAL
Documentation Required: MANUAL: Maintain Plans of Action & Milestones (POA&M) for identified security weaknesses
Evidence Collection Guide
  • Project Management System → Screenshot POA&M tracking | Security Hub → Screenshot finding remediation status
View in Console →
55. [CA.L2-3.12.4] Security Control
MANUAL
Documentation Required: MANUAL: Continuously monitor security controls using AWS Security Hub and Config
Evidence Collection Guide
  • AWS Console → Security Hub → Screenshot continuous monitoring dashboard | Config → Screenshot compliance timeline
View in Console →
56. [CM.L2-3.4.3] Security Control
MANUAL
Documentation Required: MANUAL: Use AWS Config to track configuration changes to CUI systems
Evidence Collection Guide
  • AWS Console → Config → Configuration timeline → Screenshot change history
View in Console →
57. [CM.L2-3.4.4] Security Control
MANUAL
Documentation Required: MANUAL: Conduct security impact analysis before implementing configuration changes
Evidence Collection Guide
  • Change Management System → Screenshot security impact analysis workflow | Documentation → Screenshot change approval records
View in Console →
58. [CM.L2-3.4.5] Security Control
MANUAL
Documentation Required: MANUAL: Document security configuration settings for all CUI system components
Evidence Collection Guide
  • AWS Console → Config → Rules → Screenshot configuration baselines | Systems Manager → Documents → Screenshot configuration standards
View in Console →
59. [CM.L2-3.4.6] Security Control
MANUAL
Documentation Required: MANUAL: Configure systems with only essential capabilities, disable unnecessary services
Evidence Collection Guide
  • AWS Console → Organizations → Service control policies → Screenshot service restrictions
View in Console →
60. [CM.L2-3.4.8] Security Control
MANUAL
Documentation Required: MANUAL: Implement application whitelisting and default-deny network policies
Evidence Collection Guide
  • AWS Console → VPC → Security Groups → Screenshot deny-all baseline with specific allows
View in Console →
61. [IA.L2-3.5.5] Security Control
MANUAL
Documentation Required: MANUAL: Ensure IAM user names and identifiers are not reused after account deletion
Evidence Collection Guide
  • IAM Policy Documentation → Screenshot identifier reuse prohibition | IAM → Screenshot user lifecycle procedures
View in Console →
62. [IA.L2-3.5.6] Security Control
MANUAL
Documentation Required: MANUAL: Disable IAM user accounts inactive for 90+ days
Evidence Collection Guide
  • AWS Console → IAM → Users → Access advisor → Screenshot last activity | IAM Access Analyzer → Screenshot unused access findings
View in Console →
63. [IR.L2-3.6.4] Security Control
MANUAL
Documentation Required: MANUAL: Maintain incident tracking system for security incidents affecting CUI
Evidence Collection Guide
  • Incident Tracking System → Screenshot incident log | Security Hub → Screenshot finding tracking
View in Console →
64. [MA.L2-3.7.2] Security Control
MANUAL
Documentation Required: MANUAL: Control and monitor the use of maintenance tools on CUI systems
Evidence Collection Guide
  • AWS Console → Systems Manager → Session Manager → Screenshot maintenance session logs
View in Console →
65. [MA.L2-3.7.3] Security Control
MANUAL
Documentation Required: MANUAL: Sanitize or destroy storage media before equipment removal (AWS inherited for cloud infrastructure)
Evidence Collection Guide
  • Documentation → Screenshot media sanitization procedures | AWS Artifact → Screenshot AWS media destruction compliance
View in Console →
66. [MA.L2-3.7.4] Security Control
MANUAL
Documentation Required: MANUAL: Scan media for malicious code before connecting to CUI systems
Evidence Collection Guide
  • S3 Bucket → Screenshot antivirus scanning configuration | Security tools → Screenshot malware detection
View in Console →
67. [MA.L2-3.7.6] Security Control
MANUAL
Documentation Required: MANUAL: Escort and supervise non-cleared personnel performing maintenance on CUI systems
Evidence Collection Guide
  • Documentation → Screenshot maintenance supervision policy | Maintenance Logs → Screenshot supervised sessions
View in Console →
68. [MA.L2-3.7.7] Security Control
MANUAL
Documentation Required: MANUAL: Sanitize equipment prior to maintenance or removal from facility
Evidence Collection Guide
  • Documentation → Screenshot equipment sanitization procedures | S3 → Screenshot lifecycle policies for data deletion
View in Console →
69. [MP.L2-3.8.4] Security Control
MANUAL
Documentation Required: MANUAL: Mark or label media containing CUI to indicate distribution limitations
Evidence Collection Guide
  • AWS Console → S3 → Object properties → Screenshot CUI classification tags
View in Console →
70. [MP.L2-3.8.5] Security Control
MANUAL
Documentation Required: MANUAL: Restrict access to CUI media to authorized individuals
Evidence Collection Guide
  • AWS Console → S3 → Bucket permissions → Screenshot restrictive access policies | IAM → Screenshot media access roles
View in Console →
71. [RA.L2-3.11.1] Security Control
MANUAL
Documentation Required: MANUAL: Conduct annual risk assessments of organizational operations and CUI systems
Evidence Collection Guide
  • Documentation → Screenshot annual risk assessment report | Risk Register → Screenshot identified risks and mitigations
View in Console →
72. [RA.L2-3.11.3] Security Control
MANUAL
Documentation Required: MANUAL: Remediate vulnerabilities based on risk assessment (high/critical within 30 days)
Evidence Collection Guide
  • AWS Console → Systems Manager → Patch Manager → Screenshot compliance status | Inspector → Screenshot vulnerability remediation tracking
View in Console →
73. [RA.L2-3.11.4] Security Control
MANUAL
Documentation Required: MANUAL: Share threat intelligence with organizational stakeholders
Evidence Collection Guide
  • GuardDuty → Screenshot threat intelligence findings | Documentation → Screenshot threat sharing procedures
View in Console →
74. [SC.L2-3.13.3] Security Control
MANUAL
Documentation Required: MANUAL: Verify security groups use deny-by-default, allow-by-exception rules
Evidence Collection Guide
  • AWS Console → VPC → Security Groups → Screenshot showing deny-all baseline with specific allow rules
View in Console →
75. [SC.L2-3.13.4] Security Control
MANUAL
Documentation Required: MANUAL: Use VPN or AWS Direct Connect for all remote connections to CUI systems
Evidence Collection Guide
  • AWS Console → VPC → VPN connections → Screenshot authorized remote access methods only
View in Console →
76. [SC.L2-3.13.6] Security Control
MANUAL
Documentation Required: MANUAL: Verify network communications are denied by default with explicit allow rules
Evidence Collection Guide
  • AWS Console → VPC → Security Groups + NACLs → Screenshot deny-by-default configuration
View in Console →
77. [SC.L2-3.13.7] Security Control
MANUAL
Documentation Required: MANUAL: Ensure VPN connections prevent split tunneling to protect CUI
Evidence Collection Guide
  • VPN Configuration → Screenshot showing split tunneling disabled | Network Policy → Screenshot VPN routing rules
View in Console →
78. [SC.L2-3.13.12] Security Control
MANUAL
Documentation Required: MANUAL: Ensure collaborative computing devices (cameras/microphones) cannot be remotely activated
Evidence Collection Guide
  • Security Policy Documentation → Screenshot remote activation prohibition | Endpoint Management → Screenshot device control settings
View in Console →
79. [SC.L2-3.13.13] Security Control
MANUAL
Documentation Required: MANUAL: Document controls for mobile code (JavaScript, applets) execution
Evidence Collection Guide
  • Security Policy → Screenshot mobile code policy | WAF Rules → Screenshot mobile code restrictions
View in Console →
80. [SC.L2-3.13.14] Security Control
MANUAL
Documentation Required: MANUAL: Document Voice over IP (VoIP) security controls if used for CUI communications
Evidence Collection Guide
  • VoIP System → Screenshot encryption settings | Network Monitoring → Screenshot VoIP traffic monitoring
View in Console →
81. [SC.L2-3.13.17] Security Control
MANUAL
Documentation Required: MANUAL: Implement mobile device management (MDM) for devices accessing CUI
Evidence Collection Guide
  • MDM Console → Screenshot device compliance policies | Device Inventory → Screenshot enrolled devices
View in Console →
82. [SI.L2-3.14.1] Security Control
MANUAL
Documentation Required: MANUAL: Use AWS Systems Manager Patch Manager and Inspector for flaw identification
Evidence Collection Guide
  • AWS Console → Inspector → Screenshot vulnerability findings | Systems Manager → Patch Manager → Screenshot compliance
View in Console →
83. [SI.L2-3.14.3] Security Control
MANUAL
Documentation Required: MANUAL: Monitor AWS Security Hub, GuardDuty, and vendor security advisories
Evidence Collection Guide
  • AWS Console → Security Hub → Screenshot security alerts dashboard | GuardDuty → Screenshot threat findings
View in Console →
84. [SI.L2-3.14.4] Security Control
MANUAL
Documentation Required: MANUAL: Ensure GuardDuty and endpoint protection have automatic updates enabled
Evidence Collection Guide
  • AWS Console → GuardDuty → Settings → Screenshot automatic updates enabled | Endpoint Protection → Screenshot update configuration
View in Console →
85. [SI.L2-3.14.8] Security Control
MANUAL
Documentation Required: MANUAL: Conduct vulnerability scans at least quarterly or when new vulnerabilities identified
Evidence Collection Guide
  • AWS Console → Inspector → Screenshot scan schedule and results | Documentation → Screenshot scan frequency policy
View in Console →
86. [SI.L2-3.14.9] Security Control
MANUAL
Documentation Required: MANUAL: Use VPC Flow Logs, GuardDuty, and CloudWatch to monitor for anomalous activity
Evidence Collection Guide
  • AWS Console → VPC → Flow Logs → Screenshot enabled | GuardDuty → Screenshot network anomaly detection
View in Console →
AuditKit Pro | License: ***-25348FD2 | Report ID: 0809F4A389CD39CC
Generated: 2025-11-16 16:48:55
⚠️ This report is licensed to subscriber only - Unauthorized distribution prohibited

Generated by AuditKit Pro - Multi-Cloud Compliance Scanner

For support and documentation, visit auditkit.io