CMMC Domains

The CMMC Domains

As mentioned in a previous blog, the CMMC program refers to a set of cybersecurity requirements certain organizations must obey to protect controlled unclassified information that is shared by the Department of Defense with its contractors and subcontractors.

The extensive list of requirements, including those related to security awareness and training, are summarized below, grouped within 17 domains.

Access Control

This domain focuses on controlling who and what can access your systems, as well as who has remote system access, and on the limitations of their roles.

Asset Management

This domain requires organizations to locate, identify, and log inventory of their assets.

Audit & Accountability

This domain requires companies to have processes in place for tracking users who access Controlled Unclassified Information (CUI) and to perform audits of those logs to ensure they are held accountable for their behavior.

Awareness & Training

This domain requires that you have training programs in place for your staff and conduct regular security awareness activities.

Configuration Management

This domain requires companies to establish configuration standards in order to determine how efficient the systems are. It is necessary to conduct audits to accurately measure the posture of your systems.

Identification & Authentication

This domain ensures the proper roles within your organization have the right level of access and are identifiable for reporting purposes.

Incident Response

For this domain, an Incident Response Plan is mandatory. Your organization needs to be able to detect and report security events, develop, and implement responses to incidents, perform post-incident assessments and test the response to measure your system’s readiness in the event of a cyber-attack.


This domain requires organizations to have maintenance solutions in place to keep their systems operational. As with all scenarios, sensitive data must be protected in these instances.

Media Protection

This domain highlights the risks associated with removable media, such as digital storage devices or paper, and how your organization can protect against such risks. For this domain, your organization will need to prove it has its media identified and appropriately marked for simplified access. Also, it is required to provide evidence of a media protection protocol, a sanitation protocol, etc.

Personnel Security

Your staff will have to be properly screened and have background checks run. Also, you will need to provide evidence that your CUI is protected even when members of your staff leave the organization or get transferred.

Physical Protection

Your organization needs to provide evidence of physical security surrounding its assets. As expected, cybersecurity measures aren’t adequate if unauthorized physical access to your equipment is allowed.


This CMMC domain requires that you keep and log backups of media necessary to your organization. These need to be logged for restoring damaged systems and to mitigate the effects of a cyberattack.

Risk Management

This domain describes the ongoing need to anticipate risks to your data and systems and remediate them in a timely manner using regular risk assessments and vulnerability scanning.

Security Assessment

For security assessments, your organization will need to create and maintain a security plan, define and manage controls, and periodically analyze its defensive capabilities, improving them when possible.

Situational Awareness

This domain specifies how an organization must look for and handle cyber threats that arise from various sources. A threat monitoring system is required. This helps supplement other domains and keeps the organization secure in the unfortunate event of a cyber incident.

System and Communication Protection

This CMMC domain includes a list of safe communication practices. You will need to provide evidence your organization has control of its communications at system boundaries.

System and Information integrity

This domain requires your organization to identify and manage flaws within the system, identify vulnerabilities and malicious actions, implement email security solutions, and monitor the network to maintain the integrity of the system

StratusPointIT can provide expert assistance and recommendations. For more information, please feel free to reach out.