CMMC 2.0 Domains & Capabilities
This page offers an overview of the Cybersecurity Maturity Model Certification (CMMC) framework, outlining its key domains and capabilities. Gain a clear understanding of each certification level and learn how your organization can effectively achieve compliance.
CMMC 2.0 Domains
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System Communications Protection (SC)
- System Information Integrity (SI)
CMMC 2.0 Capabilities
- Access Control (AC)
• C001 – Establish system access requirements.
• C002 – Control internal system access.
• C003 – Control remote system access.
• C004 – Limit data access to authorised users and processes.
- Awareness and Training (AT)
• C011 – Conduct security awareness activities.
• C012 – Conduct training. - Configuration Management (CM)
• C013 – Establish configuration baselines.
• C014 – Perform configuration and change management. - Incident Response (IR)
• C016 – Plan incident response.
• C017 – Detect and report events.
• C018 – Develop and implement a response to a declared incident.
• C019 – Perform post incident reviews.
• C020 – Test incident response - Media Protection (MP)
• C022 – Identify and mark media.
• C023 – Protect and control media.
• C024 – Sanitize media.
• C025 – Protect media during transport. - Physical Protection (PE)
• C028 – Limit physical access - Security Assessment (CA)
• C034 -Develop and manage a system security plan.
• C035 – Define and manage controls.
• C036 – Perform code reviews.
.
- Audit and Accountability (AU)
• C007 – Define audit requirements.
• C008 – Perform auditing.
• C009 – Identify and protect audit information.
• C010 – Review and manage audit logs. - Identification and Authentication (IA)
• C015 – Grant access to authenticated entities. - Maintenance (MA)
• C021 – Manage maintenance. - Personnel Security (PS)
• C026 – Screen personnel.
• C027 – Protect CUI during personnel actions. - Risk Assessment (RA)
• C031 – Identify and evaluate risk.
• C032 – Manage risk.
• C033 – Manage supply chain risk. - Systems and Communications Protection (SC)
• C038 – Define security requirements for systems and communications.
• C039 – Control communications at system boundaries. - Systems and Information Integrity (SI)
• C040 – Identify and manage information system flaws.
• C041 – Identify malicious content.
• C042 – Perform network and system monitoring.
• C043 – Implement advanced email protections.