CMMC 2.0 Domains & Capabilities

This page offers an overview of the Cybersecurity Maturity Model Certification (CMMC) framework, outlining its key domains and capabilities. Gain a clear understanding of each certification level and learn how your organization can effectively achieve compliance.

CMMC 2.0 Domains

  1. Access Control (AC)
  2. Awareness and Training (AT)
  3. Audit and Accountability (AU)
  4. Configuration Management (CM)
  5. Identification and Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Media Protection (MP)
  9. Personnel Security (PS)
  10. Physical Protection (PE)
  11. Risk Assessment (RA)
  12. Security Assessment (CA)
  13. System Communications Protection (SC)
  14. System Information Integrity (SI)

CMMC 2.0 Capabilities

  • Access Control (AC)
    • C001 – Establish system access requirements.
    • C002 – Control internal system access.
    • C003 – Control remote system access.
    • C004 – Limit data access to authorised users and processes.
  • Awareness and Training (AT)
    • C011 – Conduct security awareness activities.
    • C012 – Conduct training.
  • Configuration Management (CM)
    • C013 – Establish configuration baselines.
    • C014 – Perform configuration and change management.
  • Incident Response (IR)
    • C016 – Plan incident response.
    • C017 – Detect and report events.
    • C018 – Develop and implement a response to a declared incident.
    • C019 – Perform post incident reviews.
    • C020 – Test incident response
  • Media Protection (MP)
    • C022 – Identify and mark media.
    • C023 – Protect and control media.
    • C024 – Sanitize media.
    • C025 – Protect media during transport.
  • Physical Protection (PE)
    • C028 – Limit physical access
  • Security Assessment (CA)
    • C034 -Develop and manage a system security plan.
    • C035 – Define and manage controls.
    • C036 – Perform code reviews.

.

  • Audit and Accountability (AU)
    • C007 – Define audit requirements.
    • C008 – Perform auditing.
    • C009 – Identify and protect audit information.
    • C010 – Review and manage audit logs.
  • Identification and Authentication (IA)
    • C015 – Grant access to authenticated entities.
  • Maintenance (MA)
    • C021 – Manage maintenance.
  • Personnel Security (PS)
    • C026 – Screen personnel.
    • C027 – Protect CUI during personnel actions.
  • Risk Assessment (RA)
    • C031 – Identify and evaluate risk.
    • C032 – Manage risk.
    • C033 – Manage supply chain risk.
  • Systems and Communications Protection (SC)
    • C038 – Define security requirements for systems and communications.
    • C039 – Control communications at system boundaries.
  • Systems and Information Integrity (SI)
    • C040 – Identify and manage information system flaws.
    • C041 – Identify malicious content.
    • C042 – Perform network and system monitoring.
    • C043 – Implement advanced email protections.