CMMC 1.0: 17 interdependent cyber domains

The CMMC framework consist of 17 cybersecurity domains.  A domain is a distinct set or group of security practices (controls) which have similar attributes to each other.  These domains are core to the success of the protection of FCI and CUI.  The following table details the security domains for the safeguarding of FCI and CUI within the CMMC framework.  A description of the 17 cybersecurity domains, an example of its application and the associated capabilities are detailed below.

Access Control
Asset Management
Audit and Accountability
Awareness and Training
Configuration Management
Identification and Authentication
Incident response
Media Protection
Personnel Security
Physical Protection
Risk Management
Security Assessment
Situational Awareness
System Communications Protection
Systems Information Integrity

Table 1: CMMC Domains

Note:  NIST 800 – 53 Rev 5.1 ( a useful reference for the identification of the relevant policies and associated controls which can be applied within the 17 cybersecurity domains.  It goes beyond those which are required at each level of CMMC maturity and whilst it may not represent the final end-state for CMMC, it represents current cybersecurity control best practice and forms the basis of NIST 800 – 171.

Access Control (AC)

Access control is a fundamental security domain and set of security principles.  The principles of access control are applied to both physical and logical assets.  To physical assets such as buildings, fences, gates and doors and logical access principles applied to IT assets like servers, laptops, PC’s, network communication devices, logic controllers, operating systems, applications, and databases.  Core principles of access control are ‘least privilege’ and ‘zero trust’, only allowing access to assets based upon appropriate, authorised and regular assessment, through the use of role-based access control (RBAC) principles.  For technology related assets access control is delivered through identity and access management (IAM) systems, for privileged accounts it is controlled using privilege access management (PAM) solutions.

Example:  When a new employee joins a company they should have a job description which defines their roles and responsibilities, the department in which they work, the activities they are expected to undertake as part of their job and the main location of employment.  They should be given access to physical locations and IT systems based upon their job role and profile e.g. if an employee works within the engineering department they would not require access to finance systems for the fulfilment of invoicing, purchase orders and payments or payroll.  They will require physical access to the engineering department and may require access to areas of production.  They would not require access to server rooms or data centres.  It is important to confirm that all staff (including permanent, contractors and third-party users) have appropriate access only to those systems they need for their jobs.  Administrator accounts should only be provisioned in exceptional circumstances.

CMMC defines 4 Access Control (AC) capabilities.

Access Control (AC)C001 – Establish system access requirements.
C002 – Control internal system access.
C003 – Control remote system access.
C004 – Limit data access to authorised users and processes.

Asset Management (AM)

Asset Management (AM) is a building block of cybersecurity, as organisations are built from many types of tangible and intangible assets.  Assets including buildings, people, PCs, laptops, patents and data.  Assets can be spread between regions and countries, within offices and departments.  The more assets a company has the more points of entry exist, the broader the ‘attack surface’ and the more opportunities there are to cause damage should assets be compromised, destroyed, ransomed or stolen by a cyber-attack.

For any organisation to successfully manage cybersecurity it must have a clear view of all of its assets, their location, use and owner.  This requires an asset management process which includes an up to date asset register.  Reflecting each asset class and the risk and impact to the security of the organisation if the assets are compromised, so that the most appropriate security practices can be applied to them.  Without an up to date asset register an organisation cannot identify all the points of entry and secure them.

Example: The organisation has acquired 50 new PCs as part of a refresh programme.  The new assets are added to the asset register and include the specific asset identification number, configuration and build details, applications installed and security configuration.  Changes to the assets are added to the register through the life of the assets.  The old assets are collected and identified on the asset register.  Certificates of asset destruction are provided by the appropriate certified asset destruction firm and added to the asset register as proof of assets destruction and the assets are marked on the asset register as end of life.

CMMC defines 2 Asset Management (AM) capabilities.

Asset management (AM)C005 – Identify and document assets.
C006 – Manage asset inventory.

Audit and Accountability (AU)

IT systems are a complex interconnected architecture of physical assets, operating systems, databases and applications.  Where users, people and systems are granted access through logical access permissions.  To oversight users and transactions, trace and track their activities audit logs are required.  Audit logging is an important requirement for system governance, it provides the evidence transaction activity, of what users do, on what system and when.  It logs system transactions including systems access, files transfers and communication records and retain these over time.  Automated logging is the only realistic method to track and trace user activity, which is important during the digital forensic investigations, including those during and following a cyber-attack. 

Example: The organisation has employed a Security Operations Centre (SOC) provider to monitor IT systems logs across their critical systems, including their communications gateways (Routers and switches), servers and shop floor machine tools.  Data is sent on a regular basis to the SOC who interrogates it against its database of known threats and threat actors.  It identifies a query from an IP address which originates from a country known to target companies in their market sector.  From a PC on the shop floor.  The SOC correlates this back to firewall logs which confirms that a large amount of data was sent out of the company to the same IP address.  This allowed the company to shut down the relevant IT and run system scans to check their networks and prevent further data losses and in the worst case a potential ransomware.

CMMC defines 4 Audit and Accountability (AU) capabilities.

Audit and Accountability (AU)C007 – Define audit requirements.
C008 – Perform auditing.
C009 – Identify and protect audit information.
C010 – Review and manage audit logs.

Awareness and Training (AT)

Forewarned is forearmed, or to put it simply if an organisation is going to manage cyber related risks it should be aware of what they are and trained to identify them.  Cyber is a business, not a technology risk and everyone in an organisation has a part to play in protecting the assets and securing the finances of the company.   Everyone from the board room to the shop floor needs to be made aware of what cyber risk management is and what part they play daily in protecting the organisation.

Basic cyber hygiene can protect an organisation from approximately 60% of cyber related threats.  There are some simple things which can be implemented.  This requires an organisation to implement a cyber aware culture, which requires regular cybersecurity awareness and training.

Example:  You are a member of staff in the finance department.  You receive an email but you don’t recognise the sender.  It contains a link with an attachment and asks you to change the bank details of a payment instruction.  What do you do?

CMMC defines 2 Awareness and Training (AT) capabilities.

Awareness and Training (AT)C011 – Conduct security awareness activities.
C012 – Conduct training.

Configuration Management (CM)

When an organisation deploys systems such as hardware, software and databases they are configured to operate in certain way.  This could be different depending upon who, when and how the system was implemented and this creates many security challenges.  If devices are configured with different operating systems, antivirus, patch management and administrator settings the security profile across the enterprise varies.  Resulting in some systems being more vulnerable than others.  It also makes systems management more complex.  It is important to standardise the configuration of technology across the organisation.  It reduces operating costs, simplifies maintenance and improves security.

The purpose of configuration management is to establish a consistent, controlled and audited process to manage system changes and subsequently system security, performance and functionality.  In the case of cybersecurity it is applied to systems to ensure that they are built and hardened consistently and that system changes are managed under change control.

Example:  A company has no configuration management policy to set the baseline configuration for laptops.  As a result when IT engineers deploy a new installation of Anti-Virus (AV) software it does not work effectively due to differences in operating system and device configurations.  Engineers also do not configure consistent timings for AV signature updates.   As a result AV is not effective on 40% of the companies laptops and where it is effective the signatures are not updated daily, exposing the company to unnecessary risks associated with new malware.

CMMC defines 2 Configuration Management (CM) capabilities.

Configuration Management (CM)C013 – Establish configuration baselines.
C014 – Perform configuration and change management.

Identification and Authentication (IA)

Before users are allowed to access systems, it is important that they are identified and authenticated.  It enables organisations to keep their systems secure by allowing only those users it has identified and authenticated to access systems appropriately.  This can include systems such as PCs, servers, routers switches, firewalls, operating systems, applications, databases and websites.  Identification is the ability to identify uniquely a user of a system or an application.  Authentication is then the ability to prove that the user or application is genuinely who that user or what that application claims to be.

Example:  Following a process which confirmed that a new user works for the company.  They are given a user ID and password to log into their PC on the company’s network.  When the user logs into their computer they are identified using their user ID, which is checked to confirm that it is valid.  The user uses their password and is also asked to use 2 Factor Authentication (FA).  This is used to authenticate the user to confirm that they are the person associated with the User ID.  If the User ID, password and 2 FA match then the user is granted access to their PC and to systems on the company’s network which have been agreed as part of the Access Control process.

CMMC defines 1 Identification and Authentication (IA) capability.

Identification and Authentication (IA)C015 – Grant access to authenticated entities.

Incident Response (IR)

In the event that an organisation suffers a cyber-attack, it is critical that they are prepared to deal with it.  An Incident Response (IR) plan establishes a clear set of actions to detect, respond and recover from an attack.  The IR plan can be used to address issues like cyber-crime, data loss, and service outages that threaten operations.  It is important that incident response plans are owned by the executive leadership team and test the measures that an organisation could and should take to reduce the impact of a breach from external and internal threats.  The IR plan should be tested frequently to confirm that it is effective and successfully address the range of possible threats an organisation face.

Example: The CEO receives a call from the head of marketing; their computer screen is displaying a strange message ‘This is hacker group espionage, we have been inside your network for the past 6 months and have identified all your critical systems and data.  We have now encrypted all your critical systems.  Pay 100 bitcoins within 24 hours to receive the encryption keys.  If you do not pay within 24 hours our demands will double and then double every 24 hours until you meet our demands.’

What do you do now?

CMMC defines 5 Incident Response (IR) capabilities.

Incident Response (IR)C016 – Plan incident response.
C017 – Detect and report events.
C018 – Develop and implement a response to a declared incident.
C019 – Perform post incident reviews.
C020 – Test incident response.

Maintenance (MA)
Regular systems maintenance ensures the smooth running of operations and reduces the risk break down.  Maintenance procedures which address system speed and performance can help identify inappropriate processes running on devices, unpatched software and programmes which make devices unstable and more likely to fail, causing disruption to operations.  System maintenance identifies vulnerabilities with operating systems, hardware and software which if left unresolved can result in systems being compromised by hackers through recognised vulnerabilities. Example:  You have been given a copy of your company’s most recent maintenance report which identified that your VPN software required patching to close a ‘break-out vulnerability’.  Coincidentally you have been given an up to date ‘Threat assessment report’ which identifies that a well know group of hackers are using a ‘VPN exploit’ to target remote access.  Affecting the same software your company uses to securely access remote services. CMMC defines 1 Maintenance (MA) capability.

Maintenance (MA)C021 – Manage maintenance.

Media Protection (MP)

Without data and information organisations would not be able to operate.  Data forms important IP for the company.  E.g. data in the form of contracts, personnel records, designs, logistics (ERP and PDM), manufacturing instructions, applications and code, sales, invoices, procurement and finance records and postings.  If the data is Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) then it must be identified, marked appropriately and secured throughout the life-cycle of its use.  In whatever form it takes, logical or physical.

Example: The company has won a contract to design, deliver and maintain a mission critical product for a land based fighting vehicle.  The contract has been signed and must be DFARS 252.204-7012 compliant, requiring the protection of CUI.  All CUI related media must be identified, marked appropriately and secured following NIST 800-171 principles.  Therefore the company must apply media protection principles, identifying, marking and securing CUI data across all aspects of the creation, storage and transmission of CUI data related to the design, manufacture, third party supply chain management, delivery and on-going maintenance programmes for the product concerned.

CMMC defines 4 Media Protection (MP) capabilities.

Media Protection (MP)C022 – Identify and mark media.
C023 – Protect and control media.
C024 – Sanitize media.
C025 – Protect media during transport.

Personnel Security (PS)

People are an organisations most important assets, they create the IP upon which companies depend.  They also pose one of the largest risks to the security of data and information, 60% of data breaches occur from insiders.    Employee screening is an important activity, it can be used to clarify a person’s skills and experience, to confirm the presence of a criminal record, evaluate reputation, confirm legal compliance (some regulators and suppliers expect employee screening).  It is important therefore that organisations ensure that their staff have been screened appropriately, if they are to come into contact with sensitive data such as FCI or CUI.

Example:  Your organisation was conducting research into new technology which has the potential to significantly reduce the weight of an air frame, allowing for an increased payload and improve aerodynamic stability.  Twelve months after the completion of the project you receive reports that an international competitor has developed technology which with all intents and purposes looks very similar to that which your company created.

CMMC defines 2 Personnel Security (PS) capabilities.

Personnel Security (PS)C026 – Screen personnel.
C027 – Protect CUI during personnel actions.

Physical Protection (PE)

Physical and logical protection are inextricably linked, without physical protection it is it not possible to protect assets such as the computers, laptops, servers which hold the company’s IP.  If an unauthorised person can damage, destroy or steal assets, all of the firewalls, intrusion detector systems, cryptography and other security measures will not stop them from getting access to the organisation’s IP.  It is therefore important that physical security measures are applied to prevent unauthorised users from gaining access to areas within an organisation they are not authorised to access.

Example: The organisation’s servers are located in a dedicated temperature controlled and fire resistance room.  Access to the room is from a single door which has a lock, allowing anyone access to the room at any time of day or night.  Whilst on the night shift you are walking past the room and notice the door has been left open.  You open the door and the cleaner is inside the room, sitting at a desk looking at the screen.  You challenge the cleaner, their response is that they had a key to clean the room, unaccompanied.

CMMC defines 1 Physical Protection (PE) capability.

Physical Protection (PE)C028 – Limit physical access

Recovery (RE)

IT and system failures are an inevitable part of the operations of an organisation, from a hardware failure, natural disaster or a cyber-attack.  It is important that an organisation has a recovery plan in place, a plan which identifies and tests various organisational specific disaster scenarios and enables the organisation to resume as quickly and seamlessly as possible.  Protecting its assets, IP, FCI and CUI.  The recovery plan identifies all the organisation’s critical assets, including data, the necessary contingencies for backup and restore of data, relocation of critical work to alternate sites, or requirements to hold additional inventory to act as a buffer in the event of an operational outage.  The recovery plan will also define the necessary security requirement to ensure that information security is maintained during recovery.

Example:  The organisation relies on a network enabled CNC machine tool to complete 80% of its complex parts.  The tool is connected to the organisation’s network using a dedicated secured router supplied by the machine tool manufacturer, as the only means of securely transferring code to the tool.   At the end of the afternoon shift the router fails, with the result that the require NC code cannot be sent to the tool to produce a new batch of product required by the morning shift to complete an order for shipment the following day.  The organisation does not have a spare router or a copy of the routing rules embedded into the router, impacting production downstream until a replacement can be found.

CMMC defines 2 Recovery (RE) capabilities.

Recovery (RE)C029 – Manage backups.
C030 – Manage information security continuity.

Risk Management (RM)

Managing cyber-attacks and the consequences of a cyber-attack is an enterprise wide risk management issue.  Cyber-attacks can impact any part of an organisation from the board room to the shop floor and extend through the organisation’s supply chain.  Attacks can be targeted or general and can range in impact from minor disruption with no data theft to ransomware attacks which can bankrupt an organisation and lead to the theft of its most critical IP.  With such a range of possible threats and outcomes it is important that an organisation identifies and manages those risks which it believes are the most significant.  Defining its ‘risk appetite’ and identifying those risks it is willing to accept and those which it is not, putting in place the necessary mitigating actions to manage those risks appropriately.  Given the economic impact and return on investment (ROI) which the company needs to assess.

Example:  The organisation has completed an assessment of its cybersecurity using NIST 800-171r2.  It has estimated that to comply fully with all the identified practices it must spend an additional $10Mn.  A significant investment in technology, people and processes.  In order that the company can identify the most effective way to move forward, it has agreed to identify all of the FCI and CUI data it manages on behalf of its customers and suppliers.  Identifying the risk to the company should this data be stolen, damaged or destroyed and putting in place a risk register and associated plan of action and milestones (POAM).  The POAM defines the necessary controls and mitigating actions and appropriate investment to secure the FCI and CUI, based upon the risk to the organisation and return on investment (ROI).

CMMC defines 3 Risk Management (RM) capabilities.

Risk Assessment (RA)C031 – Identify and evaluate risk
C032 – Manage risk
C033 – Manage supply chain risk

Security Assessment (CA)

Security assessment is an evaluation of the security posture of the organisation.  Based upon its ability to manage its cyber risk profile.  Identifying its inherent risks, assessing the effectiveness of its controls environment and evaluating its residual risk profile.  It is an exercise which continually evolves and improves based upon the changing business environment.  It can be managed through the creation, adoption and management of a systems security plan (SSP).  A document in which an organisation describes the security controls in use across its information system, their effectiveness and method of oversight and assurance.  Once completed an SSP provides a detailed narrative of the roles and responsibilities for security management and reporting within the organisation, the organisation’s security control implementation, detailed system descriptions, component and services inventory and detailed depictions of the system’s data flows within the organisation.

Example:  The organisation is developing its manufacturing to include the manufacture of a new product on behalf of its customer.  Requiring the addition of new design, manufacturing and sales capacity.  Requiring the additional investment in CAD, PDM & ERP and shop floor machine tools.  These new systems will need to be assessed and secured appropriately in-line with the organisation’s current security practices (NIST 800-171 r2) and the organisation’s SSP updated to reflect their addition to the company and security requirement to protect the CUI they will manage.

CMMC defines 3 Security Assessment (CA) capabilities.

Security Assessment (CA)C034 -Develop and manage a system security plan.
C035 – Define and manage controls.
C036 – Perform code reviews.

Situational Awareness (SA)

Organisations are under a constant threat from cyber-attack.  Which can include Nation States, criminals, insiders and script kiddies.  Using tools created by nation states and used by state sponsored actors, cyber tools bought as a service such as DDoS or ransomware.  It is critical that organisations identify the threats which apply to their business either directly or indirectly through dedicated or commercial threat reports.  Keeping updated with what is happening in the market.  It is of equal importance that companies identify vulnerabilities within the software and hardware, published by vendors which will cause damage if they are not fixed and patched appropriately.

Example: The cyber threat assessment organisation has identified that companies within the defence sector are being targeted by a ransomware called SNAKE.  A piece of malicious software which can cause damage to shop floor equipment and ransom applications and data.  The organisation has deployed anti-virus software across its networks, which is updated daily with new signatures to identify different strains of malicious code, including SNAKE.  Unfortunately, the update feature has been inadvertently switched off by an IT engineer.  Preventing the antivirus software maintaining an up to date list of malicious code signature, subsequently identifying and quarantining malicious known code.  Leading to an increased risk that if the SNAKE malware were to get inside the company it may not be detected.

CMMC defines 1 Situational Awareness (SA) capability.

Situational Awareness (SA)C037 – Implement threat monitoring.

System Communications Protection (SC)

Organisations use a wide variety of technology devices to conduct their business operations.  Devices which are connected to form an ecosystem for the creation, transmission, consumption and servicing of data, which is unique to their business operations.  All these devices, networks, communications, and data need to be secured appropriately.  To do this it is important that an organisation has a clear view of its perimeter, including technology, processes, people and data, the maturity of the security solutions across these domains and has appropriate designs in place to leverage all the security solutions available to provide an adequate level of security.  Including network security, access management, data loss prevention, code security, encryption and sand-boxing amongst other practices.

Example: The organisation is subcontracting the manufacture of a component required as part of a contract with the DoD, to a third-party supplier.  This requires the regular transmission of CUI between both parties.  The organisation will need to identify the data flows between both parties and the systems which will create, transmit and secure the relevant CUI throughout the life cycle of the product procurement, design, manufacture, delivery and maintenance.  Ensuring that the appropriate controls have been applied to secure the data through its lifestyle between itself and the third-party supplier.

CMMC defines 2 System Communications Protection capabilities.

Systems and Communications Protection (SC)C038 – Define security requirements for systems and communications.
C039 – Control communications at system boundaries.

System Information Integrity (SI)

Information integrity is a critical requirement to maintaining the confidentiality, integrity and availability of FCI and CUI which is the primary goal of information security and cyber risk management.  It requires the adoption of a broad range of security practices including the remediation of known software flaws (security by design, vulnerability scanning and patch management), the identification and management of malicious software (Anti-Virus), SPAM protection (the identification and removal of known sources of SPAM at all entry points), systems monitoring (the identification and alert of changes in systems security), the oversight of security alerts, advisories and directives (the assessment of security threats), information output handling and retention (information is handled in line with federal laws).

Example:  A member of staff receives a SPAM email, which contains a link to a malicious website.  They click on the link which subsequently downloads malicious code to their laptop.  The antivirus software on their laptop has not been updated for several weeks and therefore did not detect the payload which was installed on the employees laptop, and enabled the Remote Desktop Protocol (RDP) on the device.  Giving the hacker direct access to the laptop and enabling them to control the device remotely.  Gaining a foothold on to the network.

CMMC defines 4 Systems Information Integrity (SI) capabilities.

Systems and Information Integrity (SI)C040 – Identify and manage information system flaws.
C041 – Identify malicious content.
C042 – Perform network and system monitoring.
C043 – Implement advanced email protections.