Understanding CMMC: Domain Groups
Summary
CMMC practices are organized into 14 domains, which are categories that reflect the areas of security that the practices cover. These include Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. Each domain contains a different amount of practices, and with each level of certification, more practices are needed.
CMMC lists practices (or controls) an organization must follow to pass a CMMC assessment and achieve CMMC certification. The practices derive primarily from FAR 48 CFR 52.204-21, DFARS 252.204-7012, and NIST SP 800-171 Revision 2. The practices are organized into fourteen domains (or categories) in alignment with the NIST SP 800-171 SP Rev 2 families.
Level 1 CMMC certification requires adherence to seventeen practices from six domains. Level 2 certification requires adherence to 110 practices from fourteen domains. Level 3 is expected to contain even more requirements, likely from 14 or more domains!
The practice lists can be overwhelming. Understanding domains can help you tackle them.
Access Control (AC): Concerned with the processes and controls in place to ensure that only authorized individuals have access to sensitive information and systems and that access is granted and revoked in a controlled and secure manner. This domain includes implementing authentication and authorization controls to verify the identity of users and grant them appropriate levels of access, implementing access controls to prevent unauthorized access to systems and networks, and monitoring and reviewing access to ensure that it's used appropriately. There are four Level 1 AC practices and eighteen Level 2 AC practices.
Access Control Domain Practices, as listed in CMMC Assessment Guide - Level 2
Awareness and Training (AT): Concerned with the processes and controls in place to ensure that an organization's employees and contractors have the knowledge and skills to understand and appropriately handle sensitive information and identify and respond to potential cybersecurity threats. This domain includes practices such as providing training on security policies and procedures, conducting regular awareness campaigns to educate employees about cyber threats and how to protect against them, and testing employee understanding of security practices through drills and simulations. There are zero Level 1 AT practices and three Level 2 AT practices.
Audit and Accountability (AU): Concerned with the processes and controls in place to ensure that an organization's activities are being correctly recorded and monitored and that any issues that arise can be promptly identified and addressed. This domain includes practices such as logging, monitoring, and reviewing activity on systems and networks and implementing processes for identifying and responding to security incidents. Audit and Accountability focuses on tracking and monitoring activity on an organization's systems and networks. There are zero Level 1 AU practices and nine Level 2 AU practices.
Configuration Management (CM): Concerned with the processes and controls in place to ensure that systems and networks are configured securely and consistently and that any changes to their configuration are made in a controlled and authorized manner. This domain includes practices for establishing and maintaining documentation of the configuration of systems and networks, implementing controls to prevent unauthorized changes to the configuration, and monitoring and reviewing configuration changes to ensure that they are made in a secure and authorized manner. There are zero Level 1 CM practices and nine Level 2 CM practices.
Identification and Authentication (IA): Concerned with the processes and controls in place to identify and authenticate individuals, devices, and systems that access sensitive information. This domain includes practices like implementing robust and multi-factor authentication to verify the identity of users, regularly reviewing and updating access controls to ensure that only authorized individuals have access to sensitive information and systems and implementing controls to prevent unauthorized access to systems and networks. There are two Level 1 IA practices and nine Level 2 IA practices.
Incident Response (IR): Concerned with the processes and controls in place to identify, respond to, and recover from cybersecurity incidents. This domain includes practices such as establishing an incident response plan that outlines the steps to be taken in the event of a cyber incident, implementing processes for detecting potential incidents, and providing training to employees on how to respond to and report incidents. There are zero Level 1 IR practices and three Level 2 IR practices.
Maintenance (MA): Concerned with the processes and controls in place to ensure that systems and networks are kept up to date and in good working order and that any issues that arise are promptly addressed. This domain includes practices such as implementing change control processes to ensure that changes to systems and networks are made in a controlled and authorized manner, regularly patching and updating systems and software to address vulnerabilities, and conducting regular maintenance and testing to ensure that systems are functioning correctly. There are zero Level 1 MA practices and six Level 2 MA practices.
Media Protection (MP): Concerned with the processes and controls to protect sensitive information stored on media such as hard drives, USB drives, and other storage devices. This domain includes practices such as implementing controls to prevent unauthorized access to media, securely disposing of media when it is no longer needed, and implementing controls to prevent the loss or theft of media. Media Protection practices help to protect removable media and devices from unauthorized access or tampering. There is one Level 1 MP practice and eight Level 2 MP practices.
Personnel Security (PS): Concerned with the processes and controls that are in place to ensure that only trustworthy individuals with the necessary skills and qualifications are granted access to sensitive information and systems. This domain covers practices related to conducting background checks on employees and contractors, implementing controls to prevent unauthorized access to sensitive information, and providing training to employees on security policies and procedures. There are zero Level 1 PS practices and two Level 2 PS practices.
Physical Protection (PE): Concerned with the processes and controls in place to protect physical assets, such as computers and other hardware, from unauthorized access, damage, or theft. This domain's practices focus on implementing controls to prevent unauthorized access to physical assets, securing hardware and other equipment in designated areas, and implementing controls to prevent the loss or theft of physical assets. There are four Level 1 PE practices and two Level 2 PE practices.
Risk Assessment (RA): Concerned with the processes and controls in place to identify and assess the organization's cybersecurity risks and implement appropriate controls to mitigate those risks. Domain practices include conducting regular risk assessments to identify potential vulnerabilities and threats to the organization's systems and networks, implementing controls to mitigate identified risks, and regularly reviewing and updating risk assessments to ensure they are still relevant and effective. There are zero Level 1 RA practices and three Level 2 RA practices.
Security Assessment (CA): Concerned with the processes and controls that are in place to evaluate the effectiveness of an organization's cybersecurity measures and identify any areas that need improvement. This domain includes practices such as conducting regular assessments of the organization's cybersecurity posture, implementing controls to address identified weaknesses, and maintaining a system security plan. There are zero Level 1 CA practices and four Level 2 CA practices.
System and Communication Protection (SC): Concerned with the processes and controls in place to protect systems and networks from unauthorized access, as well as ensuring the confidentiality, integrity, and availability of sensitive information transmitted over those systems and networks. This domain includes practices such as implementing controls to prevent unauthorized access to systems and networks, implementing encryption to protect the confidentiality of transmitted information, and implementing controls to ensure the availability of systems and networks. There are two Level 1 SC practices and fourteen Level 2 SC practices.
System and Information Integrity (SI): Concerned with the processes and controls in place to ensure the integrity of systems and networks and to protect against the unauthorized modification or destruction of sensitive information. This domain includes practices such as implementing controls to prevent unauthorized changes to systems and networks, implementing controls to prevent the unauthorized modification or destruction of sensitive information, and regularly reviewing and testing systems and networks to ensure that they are functioning correctly. There are four Level 1 SI practices and three Level 2 SI practices.
CMMC can be overwhelming. If you need help with how to address the multitude of compliance requirements for CMMC, understanding domains might help. Instead of thinking about the issues practice-by-practice, domains help you to take a broader view. When you understand the bigger picture, CMMC practice requirements become clearer.
Stay tuned for Monday’s blog exploring Level 2 requirements and the assessment process!
