The Controls page is where you define, implement, and track the operational controls that satisfy CMMC practices. While practices describe what must be achieved, controls describe how your organisation achieves it.
Control Types
| Type | Description | Examples |
|---|---|---|
| Technical | Implemented through technology | Firewall rules, encryption, MFA, SIEM, EDR |
| Administrative | Implemented through policies and governance | Security policies, training programmes, incident response plans |
| Physical | Implemented through physical mechanisms | Badge readers, security cameras, locked server rooms |
Control Statuses
| Planned | Identified and designed but not yet deployed |
| In Progress | Deployment or configuration is underway |
| Implemented | Deployed and operational |
| Effective | Tested and confirmed operating as intended |
| Ineffective | Tested and found inadequate |
Control Testing
CMMC assessors evaluate practices using three methods: Examine (review documents/configurations), Interview (discuss with personnel), and Test (exercise mechanisms). Structure your controls and evidence to support all three methods.