The CMMC 2.0 dashboard — shown with sample data.
CMMC 2.0 organises security requirements into practices grouped across 14 domains . Each practice corresponds to a specific security requirement from NIST SP 800-171 (Level 2) or FAR 52.204-21 (Level 1).
The 14 CMMC Domains
Domain ID Domain Name L1 L2 Focus Area
AC Access Control 4 22 Limit system access to authorised users
AT Awareness & Training 0 3 Ensure personnel are aware of security risks
AU Audit & Accountability 0 9 Create, protect, and retain audit records
CM Configuration Management 0 9 Establish and maintain baseline configurations
IA Identification & Authentication 2 11 Identify and authenticate users and devices
IR Incident Response 0 3 Establish incident-handling capability
MA Maintenance 0 6 Perform timely system maintenance
MP Media Protection 1 9 Protect and sanitise media containing CUI
PE Physical Protection 4 6 Limit physical access to systems
PS Personnel Security 0 2 Screen individuals prior to access
RA Risk Assessment 0 3 Assess organisational risk
CA Security Assessment 0 4 Assess and monitor security controls
SC System & Communications Protection 2 16 Monitor and protect communications
SI System & Information Integrity 4 7 Identify and correct system flaws
Practice Statuses
Not Started Practice has not been addressed yet
In Progress Implementation is underway but not complete
Implemented Practice is fully implemented and operational
Not Applicable Practice does not apply (requires justification)
On POA&M Practice has a known gap with a plan to remediate