Understanding CMMC Requirements: A Breakdown of the Key Domains

Written By Joseph Lissenden

CMMC compliance is not a checklist exercise. It is a structured cybersecurity framework designed to protect Controlled Unclassified Information (CUI) across the defense industrial base. At its core, CMMC Level 2 is built on 14 security domains derived from NIST SP 800-171.

Understanding these domains helps contractors focus efforts where assessors look first.

The 14 CMMC Security Domains Explained

Access Control (AC)
Limit access to CUI based on job role and need-to-know. Enforce MFA, session controls, and least privilege.

Audit and Accountability (AU)
Log system activity, retain audit records, and review them regularly to detect misuse or anomalies.

Awareness and Training (AT)
Ensure personnel receive role-appropriate cybersecurity training and understand their responsibilities.

Configuration Management (CM)
Maintain secure configurations, control system changes, and prevent unauthorized modifications.

Identification and Authentication (IA)
Verify user identities before granting access, with strong authentication methods.

Incident Response (IR)
Establish, document, and test procedures to detect, respond to, and recover from security incidents.

Maintenance (MA)
Control and monitor system maintenance, especially when performed remotely.

Media Protection (MP)
Safeguard physical and digital media containing CUI throughout its lifecycle.

Personnel Security (PS)
Screen personnel and manage access during onboarding, role changes, and termination.

Physical Protection (PE)
Restrict physical access to systems, facilities, and equipment that process CUI.

Risk Assessment (RA)
Identify and assess risks regularly to inform security decisions.

Security Assessment (CA)
Evaluate the effectiveness of controls and maintain assessment evidence.

System and Communications Protection (SC)
Protect data in transit and segment networks to reduce exposure.

System and Information Integrity (SI)
Detect flaws, manage vulnerabilities, and protect systems from malicious code.

Why the Domains Matter

CMMC Level 2 assessments evaluate how well these domains operate together, not in isolation. Gaps in one domain often undermine others. Weak access control, for example, makes logging and incident response ineffective.

What Contractors Should Do Now

Map existing controls to each domain, update your System Security Plan, and validate that controls are implemented and operating consistently. Preparation across all 14 domains reduces assessment risk and protects CUI.

CMMC compliance starts with understanding the domains. Passing requires proving they work.

Joseph Lissenden
Next

Avoid These Common Pitfalls in CMMC Level 2 Assessments