The extensive list of requirements, including those related to security awareness and training, are summarized below, grouped within 17 domains.
This domain focuses on controlling who and what can access your systems, as well as who has remote system access, and on the limitations of their roles.
This domain requires organizations to locate, identify, and log inventory of their assets.
Audit & Accountability
This domain requires companies to have processes in place for tracking users who access Controlled Unclassified Information (CUI) and to perform audits of those logs to ensure they are held accountable for their behavior.
Awareness & Training
This domain requires that you have training programs in place for your staff and conduct regular security awareness activities.
This domain requires companies to establish configuration standards in order to determine how efficient the systems are. It is necessary to conduct audits to accurately measure the posture of your systems.
Identification & Authentication
This domain ensures the proper roles within your organization have the right level of access and are identifiable for reporting purposes.
For this domain, an Incident Response Plan is mandatory. Your organization needs to be able to detect and report security events, develop, and implement responses to incidents, perform post-incident assessments and test the response to measure your system’s readiness in the event of a cyber-attack.
This domain requires organizations to have maintenance solutions in place to keep their systems operational. As with all scenarios, sensitive data must be protected in these instances.
This domain highlights the risks associated with removable media, such as digital storage devices or paper, and how your organization can protect against such risks. For this domain, your organization will need to prove it has its media identified and appropriately marked for simplified access. Also, it is required to provide evidence of a media protection protocol, a sanitation protocol, etc.
Your staff will have to be properly screened and have background checks run. Also, you will need to provide evidence that your CUI is protected even when members of your staff leave the organization or get transferred.
Your organization needs to provide evidence of physical security surrounding its assets. As expected, cybersecurity measures aren’t adequate if unauthorized physical access to your equipment is allowed.
This CMMC domain requires that you keep and log backups of media necessary to your organization. These need to be logged for restoring damaged systems and to mitigate the effects of a cyberattack.
This domain describes the ongoing need to anticipate risks to your data and systems and remediate them in a timely manner using regular risk assessments and vulnerability scanning.
For security assessments, your organization will need to create and maintain a security plan, define and manage controls, and periodically analyze its defensive capabilities, improving them when possible.
This domain specifies how an organization must look for and handle cyber threats that arise from various sources. A threat monitoring system is required. This helps supplement other domains and keeps the organization secure in the unfortunate event of a cyber incident.
System and Communication Protection
This CMMC domain includes a list of safe communication practices. You will need to provide evidence your organization has control of its communications at system boundaries.
System and Information integrity
This domain requires your organization to identify and manage flaws within the system, identify vulnerabilities and malicious actions, implement email security solutions, and monitor the network to maintain the integrity of the system