The 14 CMMC Domains: A Comprehensive Guide

The Cybersecurity Maturity Model Certification (CMMC) framework is the Department of Defense’s cornerstone for ensuring its contractors properly protect sensitive information. The framework is organized into 14 domains, each representing a distinct category of cybersecurity capabilities. Understanding these domains is the first step toward building a compliant and resilient security program.

This guide serves as a central hub. Below, you will find a list of all 14 domains. Click on any domain to access a detailed article explaining its purpose, key practices, and compliance requirements.

CMMC 2.0 Security Domains

• Access Control (AC): Who can access your systems and what can they do?
• Awareness and Training (AT): How do you ensure your team is security-conscious?
• Audit and Accountability (AU): How do you track and review system activity?
• Configuration Management (CM): How do you establish and maintain secure system configurations?
• Identification and Authentication (IA): How do you verify the identities of users and devices?
• Incident Response (IR): How does your organization prepare for and respond to cyber incidents?
• Maintenance (MA): How do you securely perform system maintenance?
• Media Protection (MP): How do you protect information on digital and physical media?
• Personnel Security (PS): How do you manage security risks related to personnel?
• Physical Protection (PE): How do you secure physical access to your systems and facilities?
• Risk Assessment (RA): How do you identify, evaluate, and manage cybersecurity risks?
• Security Assessment (CA): How do you assess the effectiveness of your security controls?
• System and Communications Protection (SC): How do you secure your internal and external communication channels?
• System and Information Integrity (SI): How do you ensure systems and data are protected from unauthorized modification or destruction?

Use our AI Readiness Assessment tool to get a baseline of your current posture across these domains.