Key Takeaways
- The CMMC framework divides cybersecurity requirements into 17 distinct domains, each representing a focused area of security practices.
- Domains group specific practices and controls required at different CMMC maturity levels, making compliance management clearer and more organized.
- Understanding which domains and controls apply at Levels 1, 2, and 3 helps organizations prioritize efforts and align their cybersecurity programs effectively.
Introduction: Why Understanding CMMC Domains Is Essential for Compliance
Navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC) can be daunting for many defense contractors and cybersecurity professionals. At its core, the CMMC is the Department of Defense’s structured approach to ensuring contractors protect sensitive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). To simplify this process, CMMC organizes its security requirements into 17 domains. These domains cluster related cybersecurity practices, offering a clearer pathway to compliance.
If you are a defense contractor, IT manager, compliance officer, or an MSP supporting DoD clients, grasping these domains is your critical first step. This guide breaks down the 17 domains in straightforward language, helping you understand what they are, why they matter, and how they relate to the various CMMC levels.
To further deepen your understanding, you can also explore the Understanding the Role of CMMC Third-Party Assessment Organizations (C3PAOs) in Cybersecurity Compliance which explains the assessment process relevant to the domains outlined here.
What Are Domains, Practices, and Controls? Clarifying Core CMMC Concepts
Before diving into the domains, it’s important to distinguish three key terms often used in CMMC discussions:
| Term | Meaning |
|---|---|
| Domain | A broad topic area covering a group of related cybersecurity activities (e.g., Access Control) |
| Practice/Control | A specific security action or requirement within a domain that must be implemented to meet CMMC standards |
| Level | The maturity stage (Level 1, 2, or 3) at which specific practices or controls become mandatory |
Each domain includes several controls or practices that organizations must implement based on their targeted CMMC level. For example, some controls only kick in at Level 2 or 3, particularly those designed to protect CUI.
If you want a detailed breakdown of the CMMC Assessment Process & Maintaining Certification, that post offers valuable insights relevant to applying these controls within your compliance journey.
Overview of the 17 CMMC Domains: The Building Blocks of Cybersecurity Compliance
Here is a snapshot of all 17 domains, illustrating their focus and the number of controls encompassed within each:
| Domain Code | Domain Name | Controls Count | Description |
|---|---|---|---|
| AC | Access Control | 25 | Manage system and data access |
| AM | Asset Management | 2 | Identify and manage IT assets |
| AU | Audit and Accountability | 16 | Track and analyze system activities |
| AT | Awareness and Training | 3 | Educate personnel on cybersecurity |
| CM | Configuration Management | 9 | Maintain and secure system configurations |
| IA | Identification and Authentication | 11 | Verify identities and control access |
| IR | Incident Response | 7 | Detect and respond to security incidents |
| MA | Maintenance | 6 | Secure system maintenance practices |
| MP | Media Protection | 9 | Protect sensitive data stored on media devices |
| PE | Physical Protection | 6 | Control physical access to systems |
| PS | Personnel Security | 2 | Screen and manage personnel access |
| RA | Risk Assessment | 3 | Identify and manage cybersecurity risks |
| CA | Security Assessment | 4 | Evaluate and improve security controls |
| SC | System and Communications Protection | 27 | Safeguard data in transit and at rest |
| SI | System and Information Integrity | 13 | Detect and correct system security weaknesses |
| RM | Risk Management | 1 | Oversee cybersecurity risk policies |
| SR | Supply Chain Risk Management | 3 | Ensure security across suppliers and partners |
Note: Detailed articles for each domain will be made available in the near future.
Deep Dive into Each Domain: What You Need to Know
Access Control (AC)
This domain centers on limiting user access to authorized individuals and managing permissions. Controls include user account management, remote access restrictions, and session timeouts. Example: AC.1.001 – Limit system access to authorized users. Read the full Access Control domain guide.
Asset Management (AM)
Focusing on the inventory of hardware, software, and data, AM helps ensure you know what assets require protection. Example: AM.2.031 – Maintain an accurate inventory of system components. Read the full Asset Management domain guide.
Audit and Accountability (AU)
By logging and monitoring system events, this domain enables detection and investigation of security incidents. Example: AU.2.041 – Review and retain audit records regularly. Read the full Audit and Accountability domain guide.
Awareness and Training (AT)
This domain ensures staff are trained to recognize cybersecurity threats and understand their role in protection. Example: AT.2.056 – Provide cybersecurity awareness training for employees.
Configuration Management (CM)
CM sets guidelines for how system settings and changes are controlled to reduce vulnerabilities. Example: CM.2.061 – Develop and use configuration baselines.
Identification and Authentication (IA)
IA ensures only verified users can access systems, often requiring multi-factor authentication or strong password policies. Example: IA.2.078 – Enforce complex password requirements.
Incident Response (IR)
Being prepared for and responding to cybersecurity events rapidly is critical; this domain focuses on those procedures. Example: IR.2.092 – Develop and test an incident response plan.
Maintenance (MA)
Secure maintenance covers regular upkeep, including ensuring third-party vendors follow security protocols. Example: MA.2.111 – Perform maintenance only on authorized systems.
Media Protection (MP)
Data stored on physical or digital media must be safeguarded against unauthorized access and loss. Example: MP.2.118 – Control access to media containing CUI.
Physical Protection (PE)
This domain restricts physical access to systems and sensitive areas through security measures like locks or badges. Example: PE.1.131 – Limit physical access to authorized personnel.
Personnel Security (PS)
Screening and managing employees or contractors with system access minimizes insider threat risks. Example: PS.2.128 – Conduct background checks before granting access.
Risk Assessment (RA)
Continuous assessment identifies vulnerabilities and threats to organizational systems. Example: RA.2.142 – Conduct vulnerability scans regularly.
Security Assessment (CA)
Evaluating security controls helps maintain and enhance cybersecurity posture over time. Example: CA.2.158 – Develop and implement corrective action plans.
System and Communications Protection (SC)
Protecting data during transmission and storage prevents interception or tampering. Example: SC.2.179 – Encrypt all Controlled Unclassified Information in transit.
System and Information Integrity (SI)
Detecting and responding to threats such as malware or anomalous activity protects system health. Example: SI.2.216 – Monitor systems for malicious software.
Risk Management (RM)
Governance-level policies guide organizational approaches to cybersecurity risks. Example: RM.2.141 – Periodically review risk management policies.
Supply Chain Risk Management (SR)
Extending security requirements to suppliers ensures the entire supply chain remains secure. Example: SR.2.242 – Evaluate security risks posed by suppliers.
Want help staying compliant? Sign up for the CMMC Dashboard to simplify your certification journey and manage all your requirements in one place.
For more understanding on risk and supply chain security, review our post on The Impact of CMMC on Defense Contracts & Supply Chain.
How Do the Domains Align with CMMC Levels?
Understanding which domains apply at each level helps tailor compliance efforts:
- Level 1: Focuses on 6 key domains with 15 foundational controls based on the FAR 52.204-21, targeting basic safeguarding for FCI.
- Level 2: Covers all 17 domains and incorporates the complete set of 110 practices derived from NIST SP 800-171, designed for protecting CUI.
- Level 3: Builds upon Level 2 by adding 24 enhanced practices from NIST SP 800-172, elevating defensive capabilities in select domains.
