CMMC 2.0 & NIST CSF — Security Controls Mapping Across Frameworks

This table shows the 25 compliance areas where CMMC 2.0 and NIST CSF controls overlap. When you mark a control as implemented in either framework, Venvera automatically propagates the status to the equivalent control in the other.

Compliance Area	CMMC 2.0	NIST CSF
Access Control	AC.L2-3.1.1, AC.L2-3.1.2	PR.AA-01, PR.AA-05
Least Privilege	AC.L2-3.1.5, AC.L2-3.1.6	PR.AA-05
Remote Access	AC.L2-3.1.12, AC.L2-3.1.14	PR.AA-03, PR.IR-01
Wireless Access	AC.L2-3.1.16, AC.L2-3.1.17	PR.IR-01
Authentication & MFA	IA.L2-3.5.3, IA.L2-3.5.4	PR.AA-03
Identifier Management	IA.L2-3.5.1, IA.L2-3.5.2	PR.AA-01, PR.AA-03
Security Awareness & Training	AT.L2-3.2.1, AT.L2-3.2.2	PR.AT-01
Insider Threat Awareness	AT.L2-3.2.3	PR.AT-01, PR.AT-02
Audit Logging	AU.L2-3.3.1, AU.L2-3.3.2	DE.CM-01, DE.AE-02
Audit Review & Reporting	AU.L2-3.3.5, AU.L2-3.3.6	DE.AE-02, DE.AE-04
Audit Protection	AU.L2-3.3.8, AU.L2-3.3.9	PR.DS-01
Configuration Management	CM.L2-3.4.1, CM.L2-3.4.2	PR.PS-01
Change Control	CM.L2-3.4.3, CM.L2-3.4.4	PR.PS-01, ID.IM-02
Incident Response	IR.L2-3.6.1, IR.L2-3.6.2	RS.MA-01, RS.AN-03
Incident Reporting	IR.L2-3.6.3	RS.CO-02
Maintenance Controls	MA.L2-3.7.1, MA.L2-3.7.2	PR.MA-01
Media Protection	MP.L2-3.8.1, MP.L2-3.8.2	PR.DS-01, PR.DS-10
Media Sanitization	MP.L2-3.8.3	PR.DS-10
Physical Protection	PE.L2-3.10.1, PE.L2-3.10.2	PR.AA-02
Personnel Security	PS.L2-3.9.1, PS.L2-3.9.2	PR.AA-05, PR.IP-11
Risk Assessment	RA.L2-3.11.1, RA.L2-3.11.2	ID.RA-01, ID.RA-03, ID.RA-05
Vulnerability Scanning	RA.L2-3.11.2, RA.L2-3.11.3	ID.RA-01, PR.PS-01
Security Assessment	CA.L2-3.12.1, CA.L2-3.12.3	ID.IM-02
System & Communications Protection	SC.L2-3.13.1, SC.L2-3.13.2	PR.IR-01, PR.DS-01
Encryption (CUI in Transit)	SC.L2-3.13.8, SC.L2-3.13.11	PR.DS-01, PR.DS-02

ℹ️

For details on how propagation works, thresholds, and the auto-mapped badge, see the Cross-Framework Control Propagation overview article.