This post contains information regarding the CMMC 2.0 model.
CMMC compliance rests on meeting technological requirements ensuring various types of information are protected. CMMC outlines these requirements as controls. CMMC defines a control as “The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk.”1 Simply, CMMC controls are the risk-modifying actions that a contractor must implement to achieve CMMC certification.
All of the control requirements found in CMMC Levels 1 through 3 stem from 14 categories, or domains. NIST SP 800-171, the standard on which much of CMMC is based, labels these domains as “families.” See the full list of CMMC domains and controls below.
Basic and Derived Controls
The domains, or families, can have “basic” and/or “derived” control requirements. First, a basic control requirement is what organizations will satisfy first when implementing a security plan. Next, a derived requirement acts as a supplement to the basic requirement.2 Almost all domains contain derived requirements, except for Personnel Security and Security Assessment.
Apart from Levels 1 and 2 requirements, CMMC Level 3 controls are neither basic nor derived. Level 3 controls take those found in Level 2 and strengthen them to protect against more sophisticated threats. Appropriately, these are known as “enhanced” control requirements.
CMMC Controls by Level
CMMC is made up of three different levels that contain different amounts of control requirements. Companies entrusted with national security information, depending on the type and sensitivity, must implement cybersecurity standards at progressively higher levels.
Companies with Level 1 requirements must implement the 17 basic safeguarding practices in Level 1. These practices are foundational and range from restricting system access to properly disposing of devices that contained sensitive information.
CMMC Level 2 requirements mirror the 110 widely-used NIST SP 800-171 guidelines. Level 2 includes all 17 practices found in Level 1. More advanced than Level 1, these practices include multi-factor authentication and ongoing security control monitoring.
A supplement to NIST SP 800-171, the 20 enhanced security requirements found in NIST SP 800-172 were created to respond to advanced persistent threats. Because of this, a contract that requires Level 3 certification may call out some or all of the enhanced requirements from NIST SP 800-172.
List of Domains and Controls
Note: Each requirement, or practice, uses the following naming convention:
AC.L1-3.1.1 = [Family/Domain] . [CMMC Level] – [Practice Number]
Click a tab to see a description of each domain and its list of control requirements.
Controls in the Access Control domain restrict system access to protected information based on authentic user, process, or device identities.
AC Control Example: An organization monitors and controls their employees’ internet remote access sessions to the system and implements a VPN (virtual private network) to improve confidentiality.
Controls in the Awareness & Training domain ensure that all users of a system are made aware of security risks and applicable policies, standards, and procedures through rigorous training.
AT Control Example: An organization teaches their staff how to recognize and report potential insider threats through security awareness training.
Controls in the Audit & Accountability domain provide protocols for system audit scheduling and audit log storage for the monitoring and reporting of unauthorized system use.
AU Control Example: An organization specifies the system event types to be logged and outlines requirements for retaining and storing the audit records.
Controls in the Configuration Management domain govern the baseline settings installed on software, hardware, and firmware and listed in documentation.
CM Control Example: An organization establishes and maintains sets of specifications and configuration items (standard software packages installed on devices, current version numbers on applications, etc.) throughout all organizational systems (software, hardware, firmware, System Security Plan) listed in their system inventory.
Controls in the Identification & Authentication domain serve to specify the user and device identification process and set up authentication of users and devices before allowing them access to the system.
IA Control Example: An organization assigns unique user IDs to each employee to be able to log into the system. This allows for granting access to information needed for a project to certain users while preventing other users not working on the project from accessing the information.
Controls in the Incident Response domain establish the systematic approaches and architecture needed to respond to real-time attacks. An incident response plan outlines an organization’s capacity to handle incidents, including preparation, detection, analysis, containment, recovery, and user response activities.
IR Control Example: An organization establishes a procedure for users to identify and report potential incidents by emailing a certain address. The procedure also assigns roles and responsibilities to different users within a system to prepare incident handling capabilities like determining a place to store evidence of an incident.
Controls in the Maintenance domain list protocols and procedures for scheduling regular and special event maintenance on organizational systems.
MA Control Example: An organization establishes a procedure and performs preventative maintenance by updating operating systems and applications to avoid potential problems, tracking what maintenance was perform to help with troubleshooting (if needed).
Controls in the Media Protection domain outline practices for the safeguarding of FCI and CUI in information system media like paper documents, USB drives, or mobile phones. These practices include the encryption and secure storage of media and the sanitization or destroying of media before its disposal or reuse.
MP Control Example: An organization has CUI stored on a USB drive which is then locked in a drawer and logged in a system inventory. Any time the USB drive is checked out by an employee, a log is updated with their information.
Controls in the Personnel Security domain require that an organization define protocols for screening individuals during the recruiting, hiring, and onboarding processes prior to granting access to systems containing CUI.
PS Control Example: An organization assesses a newly hired employee’s conduct and reliability, as well as background and credit checks, before they can access CUI.
Controls in the Physical Protection domain limit physical access through proximity-based safeguards for workspaces and devices linked to CUI or CDI (covered defense information).
PE Control Example: An organization keeps a log of visitors to their office and requires that they be escorted by an employee at all times. Video cameras are installed at each entrance and exit and feed video to a reception desk monitor.
Controls in the Risk Assessment domain advise periodically assessing the risk to an organization by monitoring, analyzing, and mitigating known threats and vulnerabilities.
RA Control Example: An organization performs their annual risk assessment exercise by reviewing incident reports, identifying threat sources and events, and determining the likelihood of risk to the safeguarding of CUI.
Controls in the Security Assessment domain includes protocols for conducting regular internal and external audits of cybersecurity measures and practices to determine their effectiveness.
CA Control Example: An organization uses their own System Security Plan (SSP) as a guide and reviews the efficacy of their security controls, proposing updated or new controls where needed.
Controls in the System and Communications Protection domain optimize the security of all internal and external network traffic, such as through a web proxy and a firewall.
SC Control Example: An organization installs a firewall to separate their internal network from the internet. The firewall allows them to block access to websites that appear to spread malware and keeps a log of blocked activity for use in monitoring.
Controls in the System and Information Integrity domain entail protocols, like system security alerts and communication monitoring, that ensure total confidentiality of protected data within systems.
SI Control Example: An organization sets up system security alerts for different parts of the system, reviews alerts, and researches how to appropriately address them.
Source: CMMC Level 2 Assessment Guide
Implementing all the controls necessary to comply with CMMC can be a daunting task for many contractors. Fortunately, hiring a cybersecurity service provider to reach your organization’s compliance has numerous benefits. CyberSecure 360 is an all-in-one NIST SP 800-171 and CMMC compliance solution that helps organizations achieve and maintain compliance easily and affordably.