CMMC 2.0 organises security requirements into practices grouped across 14 domains. Each practice corresponds to a specific security requirement from NIST SP 800-171 (Level 2) or FAR 52.204-21 (Level 1).
The 14 CMMC Domains
| Domain ID | Domain Name | L1 | L2 | Focus Area |
|---|
| AC | Access Control | 4 | 22 | Limit system access to authorised users |
| AT | Awareness & Training | 0 | 3 | Ensure personnel are aware of security risks |
| AU | Audit & Accountability | 0 | 9 | Create, protect, and retain audit records |
| CM | Configuration Management | 0 | 9 | Establish and maintain baseline configurations |
| IA | Identification & Authentication | 2 | 11 | Identify and authenticate users and devices |
| IR | Incident Response | 0 | 3 | Establish incident-handling capability |
| MA | Maintenance | 0 | 6 | Perform timely system maintenance |
| MP | Media Protection | 1 | 9 | Protect and sanitise media containing CUI |
| PE | Physical Protection | 4 | 6 | Limit physical access to systems |
| PS | Personnel Security | 0 | 2 | Screen individuals prior to access |
| RA | Risk Assessment | 0 | 3 | Assess organisational risk |
| CA | Security Assessment | 0 | 4 | Assess and monitor security controls |
| SC | System & Communications Protection | 2 | 16 | Monitor and protect communications |
| SI | System & Information Integrity | 4 | 7 | Identify and correct system flaws |
Practice Statuses
| Not Started | Practice has not been addressed yet |
| In Progress | Implementation is underway but not complete |
| Implemented | Practice is fully implemented and operational |
| Not Applicable | Practice does not apply (requires justification) |
| On POA&M | Practice has a known gap with a plan to remediate |
