Home     |     Steps to Compliance     |     Understanding CMMC

minutes remaining

This post contains information regarding the CMMC 2.0 model.

The DoD is in the process of writing rules to clarify the changes made in CMMC 2.0. This could take 9-24 months to complete. Meanwhile, DoD recommends that contractors work toward compliance with NIST SP 800-171 as the required controls can take months to implement.

CMMC compliance rests on meeting technological requirements ensuring various types of information are protected. CMMC outlines these requirements as controls. CMMC defines a control as “The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk.”1 Simply, CMMC controls are the risk-modifying actions that a contractor must implement to achieve CMMC certification.

Control Domains

All of the control requirements found in CMMC Levels 1 through 3 stem from 14 categories, or domains. NIST SP 800-171, the standard on which much of CMMC is based, labels these domains as “families.” See the full list of CMMC domains and controls below.

Basic and Derived Controls

The domains, or families, can have “basic” and/or “derived” control requirements. First, a basic control requirement is what organizations will satisfy first when implementing a security plan. Next, a derived requirement acts as a supplement to the basic requirement.2 Almost all domains contain derived requirements, except for Personnel Security and Security Assessment.

Apart from Levels 1 and 2 requirements, CMMC Level 3 controls are neither basic nor derived. Level 3 controls take those found in Level 2 and strengthen them to protect against more sophisticated threats. Appropriately, these are known as “enhanced” control requirements.

CMMC Controls by Level

CMMC is made up of three different levels that contain different amounts of control requirements. Companies entrusted with national security information, depending on the type and sensitivity, must implement cybersecurity standards at progressively higher levels.

Level 1

Companies with Level 1 requirements must implement the 17 basic safeguarding practices in Level 1. These practices are foundational and range from restricting system access to properly disposing of devices that contained sensitive information.

Level 2

CMMC Level 2 requirements mirror the 110 widely-used NIST SP 800-171 guidelines. Level 2 includes all 17 practices found in Level 1. More advanced than Level 1, these practices include multi-factor authentication and ongoing security control monitoring.

Level 3

A supplement to NIST SP 800-171, the 20 enhanced security requirements found in NIST SP 800-172 were created to respond to advanced persistent threats. Because of this, a contract that requires Level 3 certification may call out some or all of the enhanced requirements from NIST SP 800-172.

List of Domains and Controls

Note: Each requirement, or practice, uses the following naming convention:

AC.L1-3.1.1 = [Family/Domain] . [CMMC Level] – [Practice Number]

Click a tab to see a description of each domain and its list of control requirements.

Access Control (AC)

Controls in the Access Control domain restrict system access to protected information based on authentic user, process, or device identities.

AC Control Example: An organization monitors and controls their employees’ internet remote access sessions to the system and implements a VPN (virtual private network) to improve confidentiality.

CMMC Level 1 Practices

  • AC.L1-3.1.1 – Authorized Access Control
  • AC.L1-3.1.2 – Transaction & Function Control
  • AC.L1-3.1.20 – External Connections
  • AC.L1-3.1.22 – Control Public Information

CMMC Level 2 Practices

  • AT.L2-3.1.3 – Control CUI Flow
  • AC.L2-3.1.4 – Separation of Duties
  • AC.L2-3.1.5 – Least Privilege
  • AC.L2-3.1.6 – Non-Privileged Account Use
  • AC.L2-3.1.7 – Privileged Functions
  • AC.L2-3.1.8 – Unsuccessful Logon Attempts
  • AC.L2-3.1.9 – Privacy & Security Notices
  • AC.L2-3.1.10 – Session Lock
  • AC.L2-3.1.11 – Session Termination
  • AC.L2-3.1.12 – Control Remote Access
  • AC.L2-3.1.13 – Remote Access Confidentiality
  • AC.L2-3.1.14 – Remote Access Routing
  • AC.L2-3.1.15 – Privileged Remote Access
  • AC.L2-3.1.16 – Wireless Access Authorization
  • AC.L2-3.1.17 – Wireless Access Protection
  • AC.L2-3.1.18 – Mobile Device Connection
  • AC.L2-3.1.19 – Encrypt CUI on Mobile
  • AC.L2-3.1.21 – Portable Storage Use

Awareness and Training (AT)

Controls in the Awareness & Training domain ensure that all users of a system are made aware of security risks and applicable policies, standards, and procedures through rigorous training.

AT Control Example: An organization teaches their staff how to recognize and report potential insider threats through security awareness training.

CMMC Level 1 Practices

  • No Level 1 AT Practices

CMMC Level 2 Practices

  • AT.L2-3.2.1 – Role-Based Risk Awareness
  • AT.L2-3.2.2 – Role-Based Training
  • AT.L2-3.2.3 – Insider Threat Awareness

Audit and Accountability (AU)

Controls in the Audit & Accountability domain provide protocols for system audit scheduling and audit log storage for the monitoring and reporting of unauthorized system use.

AU Control Example: An organization specifies the system event types to be logged and outlines requirements for retaining and storing the audit records.

CMMC Level 1 Practices

  • No Level 1 AU Practices

CMMC Level 2 Practices

  • AU.L2-3.3.1 – System Auditing
  • AU.L2-3.3.2 – User Accountability
  • AU.L2-3.3.3 – Even Review
  • AU.L2-3.3.4 – Audit Failure Alerting
  • AU.L2-3.3.5 – Audit Correlation
  • AU.L2-3.3.6 – Reduction & Reporting
  • AU.L2-3.3.7 – Authoritative Time Source
  • AU.L2-3.3.8 – Audit Protection
  • AU.L2-3.3.9 – Audit Management

Configuration Management (CM)

Controls in the Configuration Management domain govern the baseline settings installed on software, hardware, and firmware and listed in documentation.

CM Control Example: An organization establishes and maintains sets of specifications and configuration items (standard software packages installed on devices, current version numbers on applications, etc.) throughout all organizational systems (software, hardware, firmware,  System Security Plan) listed in their system inventory.

CMMC Level 1 Practices

  • No Level 1 CM Practices

CMMC Level 2 Practices

  • CM.L2-3.4.1 – System Baselining
  • CM.L2-3.4.2 – Security Configuration Enforcement
  • CM.L2-3.4.3 – System Change Management
  • CM.L2-3.4.4 – Security Impact Analysis
  • CM.L2-3.4.5 – Access Restrictions for Change
  • CM.L2-3.4.6 – Least Functionality
  • CM.L2-3.4.7 – Nonessential Functionality
  • CM.L2-3.4.8 – Application Execution Policy
  • CM.L2-3.4.9 – User-Installed Software

Identification and Authentication (IA)

Controls in the Identification & Authentication domain serve to specify the user and device identification process and set up authentication of users and devices before allowing them access to the system. 

IA Control Example: An organization assigns unique user IDs to each employee to be able to log into the system. This allows for granting access to information needed for a project to certain users while preventing other users not working on the project from accessing the information.

CMMC Level 1 Practices

  • IA.L1-3.5.1 – Identification
  • IA.L1-3.5.2 – Authentication

CMMC Level 2 Practices

  • IA.L2-3.5.3 – Multifactor Authentication
  • IA.L2-3.5.4 – Replay-Resistant Authentication
  • IA.L2-3.5.5 – Identifier Reuse
  • IA.L2-3.5.6 – Identifier Handling
  • IA.L2-3.5.7 – Password Complexity
  • IA.L2-3.5.8 – Password Reuse
  • IA.L2-3.5.9 – Temporary Passwords
  • IA.L2-3.5.10 – Cryptographically-Protected Passwords
  • IA.L2-3.5.11 – Obscure Feedback

Incident Response (IR)

Controls in the Incident Response domain establish the systematic approaches and architecture needed to respond to real-time attacks. An incident response plan outlines an organization’s capacity to handle incidents, including preparation, detection, analysis, containment, recovery, and user response activities.

IR Control Example: An organization establishes a procedure for users to identify and report potential incidents by emailing a certain address. The procedure also assigns roles and responsibilities to different users within a system to prepare incident handling capabilities like determining a place to store evidence of an incident.

CMMC Level 1 Practices

  • No Level 1 IR Practices

CMMC Level 2 Practices

  • IR.L2-3.6.1 – Incident Handling
  • IR.L2-3.6.2 – Incident Reporting
  • IR.L2-3.6.3 – Incident Response Testing

Maintenance (MA)

Controls in the Maintenance domain list protocols and procedures for scheduling regular and special event maintenance on organizational systems.

MA Control Example: An organization establishes a procedure and performs preventative maintenance by updating operating systems and applications to avoid potential problems, tracking what maintenance was perform to help with troubleshooting (if needed).

CMMC Level 1 Practices

  • No Level 1 MA Practices

CMMC Level 2 Practices

  • MA.L2-3.7.1 – Perform Maintenance
  • MA.L2-3.7.2 – System Maintenance Control
  • MA.L2-3.7.3 – Equipment Sanitization
  • MA.L2-3.7.4 – Media Inspection
  • MA.L2-3.7.5 – Nonlocal Maintenance
  • MA.L2-3.7.6 – Maintenance Personnel

Media Protection (MP)

Controls in the Media Protection domain outline practices for the safeguarding of FCI and CUI in information system media like paper documents, USB drives, or mobile phones. These practices include the encryption and secure storage of media and the sanitization or destroying of media before its disposal or reuse.

MP Control Example: An organization has CUI stored on a USB drive which is then locked in a drawer and logged in a system inventory. Any time the USB drive is checked out by an employee, a log is updated with their information.

CMMC Level 1 Practices

  • MP.L1-3.8.3 – Media Disposal

CMMC Level 2 Practices

  • MP.L2-3.8.1 – Media Protection
  • MP.L2-3.8.2 – Media Access
  • MP.L2-3.8.4 – Media Markings
  • MP.L2-3.8.5 – Media Accountability
  • MP.L2-3.8.6 – Portable Storage Encryption
  • MP.L2-3.8.7 – Removeable Media
  • MP.L2-3.8.8 – Shared Media
  • MP.L2-3.8.9 – Protect Backups

Personnel Security (PS)

Controls in the Personnel Security domain require that an organization define protocols for screening individuals during the recruiting, hiring, and onboarding processes prior to granting access to systems containing CUI.

PS Control Example: An organization assesses a newly hired employee’s conduct and reliability, as well as background and credit checks, before they can access CUI.

CMMC Level 1 Practices

  • No Level 1 PS Practices

CMMC Level 2 Practices

  • PS.L2-3.9.1 – Screen Individuals
  • PS.L2-3.9.2 – Personnel Actions

Physical Protection (PE)

Controls in the Physical Protection domain limit physical access through proximity-based safeguards for workspaces and devices linked to CUI or CDI (covered defense information).

PE Control Example: An organization keeps a log of visitors to their office and requires that they be escorted by an employee at all times. Video cameras are installed at each entrance and exit and feed video to a reception desk monitor.

CMMC Level 1 Practices

  • PE.L1-3.10.1 – Limit Physical Access
  • PE.L1-3.10.3 – Escort Visitors
  • PE.L1-3.10.4 – Physical Access Logs
  • PE.L1-3.10.5 – Manage Physical Access

CMMC Level 2 Practices

  • PE.L2-3.10.2 – Monitor Facility
  • PE.L2-3.10.6 – Alternative Work Sites

Risk Assessment (RA)

Controls in the Risk Assessment domain advise periodically assessing the risk to an organization by monitoring, analyzing, and mitigating known threats and vulnerabilities.

RA Control Example: An organization performs their annual risk assessment exercise by reviewing incident reports, identifying threat sources and events, and determining the likelihood of risk to the safeguarding of CUI.

CMMC Level 1 Practices

  • No Level 1 RA Practices

CMMC Level 2 Practices

  • RA.L2-3.11.1 – Risk Assessments
  • RA.L2-3.11.2 – Vulnerability Scan
  • RA.L2-3.11.3 – Vulnerability Remediation

Security Assessment (CA)

Controls in the Security Assessment domain includes protocols for conducting regular internal and external audits of cybersecurity measures and practices to determine their effectiveness.

CA Control Example: An organization uses their own System Security Plan (SSP) as a guide and reviews the efficacy of their security controls, proposing updated or new controls where needed.

CMMC Level 1 Practices

  • No Level 1 CA Practices

CMMC Level 2 Practices

  • CA.L2-3.12.1 – Security Control Assessment
  • CA.L2-3.12.2 – Plan of Action
  • CA.L2-3.12.3 – Security Control Monitoring
  • CA.L2-3.12.4 – System Security Plan

System and Communications Protection (SC)

Controls in the System and Communications Protection domain optimize the security of all internal and external network traffic, such as through a web proxy and a firewall.

SC Control Example: An organization installs a firewall to separate their internal network from the internet. The firewall allows them to block access to websites that appear to spread malware and keeps a log of blocked activity for use in monitoring.

CMMC Level 1 Practices

  • SC.L1-3.13.1 – Boundary Protection
  • SC.L1-3.13.5 – Public-Access System Separation

CMMC Level 2 Practices

  • SC.L2-3.13.2 – Security Engineering
  • SC.L2-3.13.3 – Role Separation
  • SC.L2-3.13.4 – Shared Resource Control
  • SC.L2-3.13.6 – Network Communication by Exception
  • SC.L2-3.13.7 – Split Tunneling
  • SC.L2-3.13.8 – Data in Transit
  • SC.L2-3.13.9 – Connections Termination
  • SC.L2-3.13.10 – Key Management
  • SC.L2-3.13.11 – CUI Encryption
  • SC.L2-3.13.12 – Collaborative Device Control
  • SC.L2-3.13.13 – Mobile Code
  • SC.L2-3.13.14 – Voice Over Internet Protocol
  • SC.L2-3.13.15 – Communications Authenticity
  • SC.L2-3.13.16 – Data at Rest

System and Information Integrity (SI)

Controls in the System and Information Integrity domain entail protocols, like system security alerts and communication monitoring, that ensure total confidentiality of protected data within systems.

SI Control Example: An organization sets up system security alerts for different parts of the system, reviews alerts, and researches how to appropriately address them.

CMMC Level 1 Practices

  • SI.L1-3.14.1 – Flaw Remediation
  • SI.L1-3.14.2 – Malicious Code Protection
  • SI.L1-3.14.4 – Update Malicious Code Protection
  • SI.L1-3.14.5 – System & File Scanning 

CMMC Level 2 Practices

  • SI.L2-3.14.3 – Security Alerts & Advisories
  • SI.L2-3.14.6 – Monitor Communications for Attacks
  • SI.L2-3.14.7 – Identify Unauthorized Use

Implementing all the controls necessary to comply with CMMC can be a daunting task for many contractors. Fortunately, hiring a cybersecurity service provider to reach your organization’s compliance has numerous benefits. CyberSecure 360 is an all-in-one NIST SP 800-171 and CMMC compliance solution that helps organizations achieve and maintain compliance easily and affordably.


1 https://www.acq.osd.mil/cmmc/docs/Glossary_MasterV2.0_FINAL_202111217_508.pdf

2 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf#page=18



{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Never Miss a Post

Sign up to be updated with the newest CMMC Insights.

Approx. 2 emails per month. Read our Privacy policy.