Skip to content

The 14 CMMC Control Domains

 

Explore basic concepts about CMMC’s 14 control domains, an explanation of each, similarities with NIST SP 800-171 Rev 2 and more, through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What are the 14 CMMC control domains (security families)? 

 

Summary: The 14 CMMC control domains are the security requirement families drawn from NIST SP 800-171 Rev 2 that organize the 110 security controls and 320 assessment objectives applicable to CMMC Level 2 compliance. 

The 14 domains are:

  1. Access Control (AC) with 22 requirements
  2. Awareness and Training (AT) with 3 requirements
  3. Audit and Accountability (AU) with 9 requirements
  4. Configuration Management (CM) with 9 requirements
  5. Identification and Authentication (IA) with 11 requirements
  6. Incident Response (IR) with3 requirements
  7. Maintenance (MA) with 6 requirements
  8. Media Protection (MP) with 9 requirements
  9. Personnel Security (PS) with 2 requirements
  10. Physical Protection (PE) with 6 requirements
  11. Risk Assessment (RA) with 3 requirements
  12. Security Assessment (CA) with 4 requirements
  13. System and Communications Protection (SC) with 16 requirements
  14. System and Information Integrity (SI) with 7 requirements

Each domain addresses a distinct dimension of organizational cybersecurity, and all 14 must be fully addressed for CMMC Level 2 compliance. The domains cannot be selectively scoped, every in-scope asset handling CUI must meet requirements across all 14 domains. 

 

What is the difference between the 110 NIST SP 800-171 security controls and the 320 CMMC assessment objectives? 

 

Summary: The 110 security controls define what a contractor must do to protect CUI, while the 320 assessment objectives are the granular criteria a C3PAO evaluates to determine whether each control is actually implemented, operating as intended, and producing the desired outcome. 

Each of the 110 controls typically maps to multiple assessment objectives, some controls have only one objective while others have as many as six. The assessment objectives are derived from NIST SP 800-171A and define the specific evidence, demonstrations, or documentation an assessor uses to make a MET or NOT MET determination. 

For example, NIST SP 800-171 Rev 2 control 3.5.3 requires multi-factor authentication. The corresponding assessment objectives break this down into specific sub-requirements: MFA required for local access to privileged accounts, for network access to privileged accounts, and for network access to non-privileged accounts. A contractor cannot satisfy the control at the requirement level without satisfying every corresponding objective. All 320 objectives must be MET for Final CMMC Level 2 certification.

 

What does the Access Control (AC) domain require under CMMC Level 2? 

 

Summary: The Access Control domain contains 22 security requirements governing who and what can access contractor information systems and CUI, under what conditions, and through what mechanisms. 

Key requirements include: limiting system access to authorized users, processes, and devices; controlling the flow of CUI in accordance with approved authorizations; implementing least privilege so users have access only to what is necessary for their role; controlling access to CUI by external systems; prohibiting remote access from non-organizationally-owned devices without specific controls; encrypting CUI on mobile devices and mobile computing platforms; controlling wireless access to authorized users; and verifying and controlling all connections to external systems. 

Contractors must document their access control policies, maintain user access lists, and periodically review and update access authorizations as part of their ongoing compliance posture. All access control configurations must be reflected in the System Security Plan (SSP) and supported by evidence during assessment. 

 

What does the Awareness and Training (AT) domain require under CMMC Level 2? 

 

The Awareness and Training domain contains 3 security requirements from NIST SP 800-171 Rev 2 requiring contractors to ensure all personnel with access to organizational information systems are aware of security risks and are trained to carry out their assigned security responsibilities. 

The three requirements are:

  1. Ensuring managers, system administrators, and users are made aware of security risks associated with their activities and applicable policies, standards, and procedures.
  2. Ensuring personnel are trained to carry out their assigned information security-related duties and responsibilities.
  3. Providing security awareness training on recognizing and reporting potential threats, including social engineering attacks such as phishing.

Training must be role-specific, employees who administer systems or handle CUI have different training requirements from general staff. Training records must be maintained as documentary evidence for assessment purposes. 

 

What does the Audit and Accountability (AU) domain require under CMMC Level 2? 

 

Summary: The Audit and Accountability domain contains 9 security requirements requiring contractors to create, protect, retain, and review system audit records sufficient to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. 

Key requirements include: creating and retaining audit logs enabling investigation of unlawful activity; ensuring individual user actions can be traced to support accountability; reviewing and updating logged events; alerting relevant personnel in the event of audit process failure; correlating audit record review and reporting processes; protecting audit information and tools from unauthorized access, modification, and deletion; limiting management of audit logging to privileged users; and reviewing audit records for indications of inappropriate or unusual activity. 

Organizations must define their logging retention periods in policy, industry practice and assessor expectation typically require 90 days of immediately available logs and one year of archived logs. Log integrity must be maintained and logs must not be alterable by standard users.

 

What does the Configuration Management (CM) domain require under CMMC Level 2? 

 

Summary: The Configuration Management domain contains 9 security requirements requiring contractors to establish and maintain baseline configurations of information systems, control changes to those systems, and restrict the use of unauthorized software and services. 

Key requirements include: establishing and maintaining baseline configurations and inventories of organizational information systems including hardware, software, firmware, and documentation; establishing and enforcing security configuration settings for IT products employed in organizational systems; controlling and monitoring user-installed software; establishing and documenting configuration change control processes; analyzing the security impact of changes prior to implementation; and preventing the use of unauthorized software through blacklisting or application whitelisting. 

Organizations must maintain documented hardware and software inventories and demonstrate a formal change management process as evidence during assessment. Any deviation from an established baseline must be documented, reviewed, and approved. 

 

What does the Identification and Authentication (IA) domain require under CMMC Level 2? 

 

Summary: The Identification and Authentication domain contains 11 security requirements governing how users, processes, and devices are identified and verified before being granted access to information systems handling CUI. 

Key requirements include: identifying system users, processes, and devices; authenticating those users, processes, and devices before allowing system access; using multi-factor authentication (MFA) for local and network access to privileged accounts and for network access to non-privileged accounts; employing replay-resistant authentication mechanisms; enforcing minimum password complexity and change requirements; prohibiting password hints; disabling accounts after a defined number of consecutive invalid login attempts; and encrypting or hashing passwords during transmission and storage. 

The MFA requirement is one of the most widely scrutinized controls during CMMC Level 2 assessments and among the most commonly found gaps, often because organizations have deployed MFA on some systems but not others, or have exempted certain account types. All MFA configurations must be documented in the SSP. 

 

What does the Incident Response (IR) domain require under CMMC Level 2? 

 

The Incident Response domain contains 3 security requirements from NIST SP 800-171 Rev 2 requiring contractors to establish an operational capability to prepare for, detect, analyze, contain, recover from, and document cybersecurity incidents affecting their information systems. 

The three requirements are:

  1. Establishing an operational incident-handling capability that includes adequate preparation, detection, analysis, containment, recovery, and user response activities, and tracking, documenting, and reporting incidents.
  2. Tracking, documenting, and reporting incidents to designated officials and authorities both internal and external to the organization.
  3. Testing the organizational incident response capability. 

Together, these requirements mean a contractor must have a written, tested incident response plan that defines roles and responsibilities, detection and analysis procedures, containment and recovery steps, and documentation and reporting protocols. The plan must be exercised regularly, tabletop exercises and simulations both qualify, and records of exercises must be maintained as evidence. 

 

What does the Maintenance (MA) domain require under CMMC Level 2? 

 

The Maintenance domain contains 6 security requirements from NIST SP 800-171 Rev 2 governing how contractors perform, control, and monitor maintenance activities on organizational information systems, with specific controls for remote maintenance. 

Key requirements include: performing maintenance on organizational information systems; providing controls on the tools, techniques, mechanisms, and personnel used to conduct maintenance; ensuring equipment removed for off-site maintenance is sanitized of all CUI; checking media containing diagnostic and test programs for malicious code before use; requiring MFA for remote maintenance sessions; and supervising maintenance activities of personnel without required access authorization. 

Remote maintenance, any maintenance conducted via remote connection rather than physical presence, carries heightened scrutiny because uncontrolled remote access to in-scope systems creates significant CUI exposure. All remote maintenance sessions must be logged, monitored, and terminated when maintenance is complete.

 

What does the Media Protection (MP) domain require under CMMC Level 2? 

 

Summary: The Media Protection domain contains 9 security requirements governing how contractors protect, control, sanitize, and dispose of both physical and digital media containing CUI throughout its lifecycle. 

Key requirements include: protecting system media containing CUI, both paper and digital; limiting access to CUI on media to authorized users; sanitizing or destroying information system media before disposal or reuse using NIST SP 800-88 compliant methods; marking media with necessary CUI markings; controlling access to media during transport; implementing cryptographic mechanisms to protect CUI during transport; and prohibiting the use of portable storage devices with no identifiable owner. 

Removable media controls, USB drives, external hard drives, optical media, are commonly assessed areas where organizations frequently have gaps. Organizations must maintain an inventory of portable media containing CUI and demonstrate proper disposal procedures.

 

What does the Personnel Security (PS) domain require under CMMC Level 2? 

 

The Personnel Security domain contains 2 security requirements from NIST SP 800-171 Rev 2 addressing the security risks posed by employees and contractors, both during employment and at termination. 

The two requirements are:

  1. Screening individuals prior to authorizing access to organizational information systems that contain CUI, requiring background checks or vetting procedures for employees and contractors who will handle CUI.
  2. Ensuring that CUI and information system access authorizations are terminated upon personnel departure or transfer, and that returned property, system access credentials, and authenticators are recovered upon departure. 

While PS is one of the smallest domains by requirement count, termination procedures are a commonly found gap, organizations frequently fail to promptly deprovision accounts and access credentials when employees leave. Formal offboarding procedures that include system access revocation, credential recovery, and documentation must be established and consistently followed. 

 

What does the Physical Protection (PE) domain require under CMMC Level 2? 

 

Summary: The Physical Protection domain contains 6 security requirements governing physical access to organizational information systems, equipment, and the facilities in which they operate, as well as protections for employees working at alternative work sites. 

Key requirements include: limiting physical access to organizational information systems and equipment to authorized individuals; protecting and monitoring the physical facility and support infrastructure; escorting visitors and monitoring visitor activity; maintaining audit logs of physical access; controlling and managing physical access devices such as keys, locks, badges, and access cards; and enforcing safeguarding measures for CUI at alternative work sites such as home offices or satellite locations (PE.L2-3.10.6). 

The alternate work site requirement is particularly relevant for organizations with remote workers, employees working from home must have safeguards equivalent to those in a primary facility, including locked storage for physical CUI and controlled access to workspaces. 

 

What does the Risk Assessment (RA) domain require under CMMC Level 2? 

 

The Risk Assessment domain contains 3 security requirements from NIST SP 800-171 Rev 2 requiring contractors to periodically assess risk to organizational operations and assets resulting from the operation of information systems that process, store, or transmit CUI. 

The three requirements are:

  1. Periodically assessing the risk to organizational operations, assets, and individuals resulting from the operation of organizational information systems and the associated processing of CUI.
  2. Scanning for vulnerabilities in organizational information systems and applications periodically and when new vulnerabilities are identified.
  3. Remediating vulnerabilities in accordance with risk assessments. 

Risk assessments must be documented, conducted on a defined cycle, and used to inform security investment and control prioritization decisions. Vulnerability scanning results must be tracked, and remediation timelines must be established and followed.

 

What does the Security Assessment (CA) domain require under CMMC Level 2? 

 

The Security Assessment domain contains 4 security requirements from NIST SP 800-171 Rev 2 requiring contractors to periodically assess their security controls, develop plans to remediate deficiencies, and continuously monitor the security posture of their information systems. 

The four requirements are:

  1. Periodically assessing security controls to determine if the controls are effective in their application.
  2. Developing and implementing plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities.
  3. Monitoring information system security controls on an ongoing basis to ensure continued effectiveness.
  4. Developing, documenting, and periodically updating system security plans that describe system boundaries, environments of operation, how security requirements are implemented, and relationships with other systems. 

The System Security Plan (SSP) is a direct output of the CA domain and serves as the primary documentation artifact for CMMC assessment evidence. 

 

What does the System and Communications Protection (SC) domain require under CMMC Level 2? 

 

Summary: The System and Communications Protection domain contains 16 security requirements governing how contractors monitor, control, and protect communications within and between information systems, and enforce architectural and technical boundaries around CUI. 

Key requirements include: monitoring, controlling, and protecting communications at external and key internal boundaries; separating user functionality from system management functionality; implementing subnetworks for publicly accessible system components physically or logically separated from internal networks; denying network communications traffic by default with permit-by-exception; preventing remote devices from simultaneously using a VPN connection while connected to the Internet (split tunneling prohibition); implementing FIPS 140-validated cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission; and using only approved cryptography for establishing secure communications. 

The SC domain is heavily technical and commonly yields gaps during assessments. Organizations that route CUI across networks without encryption, permit split tunneling, or have not implemented network segmentation between CUI and non-CUI environments frequently fail multiple SC controls. 

 

What does the System and Information Integrity (SI) domain require under CMMC Level 2? 

 

Summary: The System and Information Integrity domain contains 7 security requirements requiring contractors to identify, report, and correct information system flaws; protect from malicious code; and monitor information systems to detect attacks and unauthorized activity. 

Key requirements include: identifying, reporting, and correcting information system flaws in a timely manner; providing protection from malicious code at appropriate locations within organizational information systems; monitoring security alerts and advisories and taking appropriate action; updating malicious code protection mechanisms when new releases are available; performing periodic scans of the information system and real-time scans of files from external sources; monitoring organizational information systems to detect attacks and unauthorized local, network, and remote connections; and identifying unauthorized use of organizational information systems. 

Patch management, endpoint protection (antivirus/anti-malware), and security monitoring are the primary technical implementations for this domain. Failure to deploy and maintain endpoint protection is one of the most commonly cited deficiencies during CMMC Level 2 assessments. 

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties