CMMC 2.0: 14 interdependent cyber domains

The CMMC framework consist of 14 cybersecurity domains.  A domain is a distinct set or group of security practices (controls) which have similar attributes to each other.  These domains are core to the success of the protection of FCI and CUI.  The following table details the security domains for the safeguarding of FCI and CUI within the CMMC framework.  A description of the 14 cybersecurity domains, an example of its application and the associated capabilities are detailed below.

Access Control
(AC)
Awareness and Training
(AT)
Audit and Accountability
(AU)
Configuration Management
(CM)
Identification and Authentication
(IA)
Incident Response
(IR)
Maintenance
(MA)
Media Protection
(MP)
Personnel Security
(PS)
Physical Protection
(PE)
Risk Assessment (RA)Security Assessment
(CA)
System Communications protection
(SC)
System Information integrity
(SI)

Table 4: CMMC Domains

Note:  NIST SP 800 – 171 R2 (https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) is a useful reference for the identification of the relevant policies and associated controls which can be applied within the 14 cybersecurity domains.  NIST SP 800-171 does not represent the final end-state for CMMC, it does however represent the regulated compliance requirements under DFARS 252.204-7012, 7019 and 7020.  That is the baseline standard of compliance expected by the Department of Defence for contract award as of November 2020.  

The 14 NIST SP 800-171 cybersecurity domains associated organisational capabilitiesentified by NIST SP 800-171 are.

1. Access Control (AC)

Access control is a fundamental security domain and set of security principles.  The principles of access control are applied to both physical and logical assets.  To physical assets such as buildings, fences, gates and doors and logical access principles applied to IT assets like servers, laptops, PC’s, network communication devices, logic controllers, operating systems, applications, and databases.  Core principles of access control are ‘least privilege’ and ‘zero trust’, only allowing access to assets based upon appropriate, authorised and regular assessment, through the use of role-based access control (RBAC) principles.  For technology related assets access control is delivered through identity and access management (IAM) systems, for privileged accounts it is controlled using privilege access management (PAM) solutions.

Example:  When a new employee joins a company they should have a job description which defines their roles and responsibilities, the department in which they work, the activities they are expected to undertake as part of their job and the main location of employment.  They should be given access to physical locations and IT systems based upon their job role and profile e.g. if an employee works within the engineering department they would not require access to finance systems for the fulfilment of invoicing, purchase orders and payments or payroll.  They will require physical access to the engineering department and may require access to areas of production.  They would not require access to server rooms or data centres.  It is important to confirm that all staff (including permanent, contractors and third-party users) have appropriate access only to those systems they need for their jobs.  Administrator accounts should only be provisioned in exceptional circumstances.

There are 4 Access Control (AC) capabilities an organisation should maintain.

DomainCapability
Access Control (AC)C001 – Establish system access requirements.
C002 – Control internal system access.
C003 – Control remote system access.
C004 – Limit data access to authorised users and processes.

2. Awareness and Training (AT)

Forewarned is forearmed, or to put it simply if an organisation is going to manage cyber related risks it should be aware of what they are and trained to identify them.  Cyber is a business, not a technology risk and everyone in an organisation has a part to play in protecting the assets and securing the finances of the company.   Everyone from the board room to the shop floor needs to be made aware of what cyber risk management is and what part they play daily in protecting the organisation.

Basic cyber hygiene can protect an organisation from approximately 60% of cyber related threats.  There are some simple things which can be implemented.  This requires an organisation to implement a cyber aware culture, which requires regular cybersecurity awareness and training.

Example:  You are a member of staff in the finance department.  You receive an email but you don’t recognise the sender.  It contains a link with an attachment and asks you to change the bank details of a payment instruction.  What do you do?

There are 2 Awareness and Training (AT) capabilities an organisation should maintain. 

DomainCapability
Awareness and Training (AT)C011 – Conduct security awareness activities.
C012 – Conduct training.

3. Audit and Accountability (AU)

IT systems are a complex interconnected architecture of physical assets, operating systems, databases and applications.  Where users, people and systems are granted access through logical access permissions.  To oversight users and transactions, trace and track their activities audit logs are required.  Audit logging is an important requirement for system governance, it provides the evidence transaction activity, of what users do, on what system and when.  It logs system transactions including systems access, files transfers and communication records and retain these over time.  Automated logging is the only realistic method to track and trace user activity, which is important during the digital forensic investigations, including those during and following a cyber-attack. 

Example: The organisation has employed a Security Operations Centre (SOC) provider to monitor IT systems logs across their critical systems, including their communications gateways (Routers and switches), servers and shop floor machine tools.  Data is sent on a regular basis to the SOC who interrogates it against its database of known threats and threat actors.  It identifies a query from an IP address which originates from a country known to target companies in their market sector.  From a PC on the shop floor.  The SOC correlates this back to firewall logs which confirms that a large amount of data was sent out of the company to the same IP address.  This allowed the company to shut down the relevant IT and run system scans to check their networks and prevent further data losses and in the worst case a potential ransomware.

There are 4 Audit and Accountability (AU) capabilities an organisation should maintain. 

DomainCapability
Audit and Accountability (AU)C007 – Define audit requirements.
C008 – Perform auditing.
C009 – Identify and protect audit information.
C010 – Review and manage audit logs.

4. Configuration Management (CM)

When an organisation deploys systems such as hardware, software and databases they are configured to operate in certain way.  This could be different depending upon who, when and how the system was implemented and this creates many security challenges.  If devices are configured with different operating systems, antivirus, patch management and administrator settings the security profile across the enterprise varies.  Resulting in some systems being more vulnerable than others.  It also makes systems management more complex.  It is important to standardise the configuration of technology across the organisation.  It reduces operating costs, simplifies maintenance and improves security.

The purpose of configuration management is to establish a consistent, controlled and audited process to manage system changes and subsequently system security, performance and functionality.  In the case of cybersecurity it is applied to systems to ensure that they are built and hardened consistently and that system changes are managed under change control.

Example:  A company has no configuration management policy to set the baseline configuration for laptops.  As a result when IT engineers deploy a new installation of Anti-Virus (AV) software it does not work effectively due to differences in operating system and device configurations.  Engineers also do not configure consistent timings for AV signature updates.   As a result AV is not effective on 40% of the companies laptops and where it is effective the signatures are not updated daily, exposing the company to unnecessary risks associated with new malware.

There are 2 Configuration Management (CM) capabilities an organisation should maintain. 

DomainCapability
Configuration Management (CM)C013 – Establish configuration baselines.
C014 – Perform configuration and change management.

5. Identification and Authentication (IA)

Before users are allowed to access systems, it is important that they are identified and authenticated.  It enables organisations to keep their systems secure by allowing only those users it has identified and authenticated to access systems appropriately.  This can include systems such as PCs, servers, routers switches, firewalls, operating systems, applications, databases and websites.  Identification is the ability to identify uniquely a user of a system or an application.  Authentication is then the ability to prove that the user or application is genuinely who that user or what that application claims to be.

Example:  Following a process which confirmed that a new user works for the company.  They are given a user ID and password to log into their PC on the company’s network.  When the user logs into their computer they are identified using their user ID, which is checked to confirm that it is valid.  The user uses their password and is also asked to use 2 Factor Authentication (FA).  This is used to authenticate the user to confirm that they are the person associated with the User ID.  If the User ID, password and 2 FA match then the user is granted access to their PC and to systems on the company’s network which have been agreed as part of the Access Control process.

There is 1 Identification and Authentication (IA) capability an organisation should maintain. 

DomainCapability
Identification and Authentication (IA)C015 – Grant access to authenticated entities.

6. Incident Response (IR)

In the event that an organisation suffers a cyber-attack, it is critical that they are prepared to deal with it.  An Incident Response (IR) plan establishes a clear set of actions to detect, respond and recover from an attack.  The IR plan can be used to address issues like cyber-crime, data loss, and service outages that threaten operations.  It is important that incident response plans are owned by the executive leadership team and test the measures that an organisation could and should take to reduce the impact of a breach from external and internal threats.  The IR plan should be tested frequently to confirm that it is effective and successfully address the range of possible threats an organisation face.

Example: The CEO receives a call from the head of marketing; their computer screen is displaying a strange message ‘This is hacker group espionage, we have been inside your network for the past 6 months and have identified all your critical systems and data.  We have now encrypted all your critical systems.  Pay 100 bitcoins within 24 hours to receive the encryption keys.  If you do not pay within 24 hours our demands will double and then double every 24 hours until you meet our demands.’

What do you do now?

There are 5 Incident Response (IR) capabilities an organisation should maintain. 

DomainCapability
Incident Response (IR)C016 – Plan incident response.
C017 – Detect and report events.
C018 – Develop and implement a response to a declared incident.
C019 – Perform post incident reviews.
C020 – Test incident response.

7. Maintenance (MA)

Regular systems maintenance ensures the smooth running of operations and reduces the risk break down.  Maintenance procedures which address system speed and performance can help identify inappropriate processes running on devices, unpatched software and programmes which make devices unstable and more likely to fail, causing disruption to operations.  System maintenance identifies vulnerabilities with operating systems, hardware and software which if left unresolved can result in systems being compromised by hackers through recognised vulnerabilities.

Example:  You have been given a copy of your company’s most recent maintenance report which identified that your VPN software required patching to close a ‘break-out vulnerability’.  Coincidentally you have been given an up to date ‘Threat assessment report’ which identifies that a well know group of hackers are using a ‘VPN exploit’ to target remote access.  Affecting the same software your company uses to securely access remote services.

There is 1 Maintenance (MA) capability an organisation should maintain. 

DomainCapability
Maintenance (MA)C021 – Manage maintenance.

8. Media Protection (MP)

Without data and information organisations would not be able to operate.  Data forms important IP for the company.  E.g. data in the form of contracts, personnel records, designs, logistics (ERP and PDM), manufacturing instructions, applications and code, sales, invoices, procurement and finance records and postings.  If the data is Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) then it must be identified, marked appropriately and secured throughout the life-cycle of its use.  In whatever form it takes, logical or physical.

Example: The company has won a contract to design, deliver and maintain a mission critical product for a land based fighting vehicle.  The contract has been signed and must be DFARS 252.204-7012 compliant, requiring the protection of CUI.  All CUI related media must be identified, marked appropriately and secured following NIST 800-171 principles.  Therefore the company must apply media protection principles, identifying, marking and securing CUI data across all aspects of the creation, storage and transmission of CUI data related to the design, manufacture, third party supply chain management, delivery and on-going maintenance programmes for the product concerned.

There are 4 Media Protection (MP) capabilities an organisation should maintain. 

DomainCapability
Media Protection (MP)C022 – Identify and mark media.
C023 – Protect and control media.
C024 – Sanitize media.
C025 – Protect media during transport.

9. Personnel Security (PS)

People are an organisations most important assets, they create the IP upon which companies depend.  They also pose one of the largest risks to the security of data and information, 60% of data breaches occur from insiders.    Employee screening is an important activity, it can be used to clarify a person’s skills and experience, to confirm the presence of a criminal record, evaluate reputation, confirm legal compliance (some regulators and suppliers expect employee screening).  It is important therefore that organisations ensure that their staff have been screened appropriately, if they are to come into contact with sensitive data such as FCI or CUI.

Example:  Your organisation was conducting research into new technology which has the potential to significantly reduce the weight of an air frame, allowing for an increased payload and improve aerodynamic stability.  Twelve months after the completion of the project you receive reports that an international competitor has developed technology which with all intents and purposes looks very similar to that which your company created.

There are 2 Personnel Security (PS) capabilities an organisation should maintain. 

DomainCapability
Personnel Security (PS)C026 – Screen personnel.
C027 – Protect CUI during personnel actions.

10. Physical Protection (PE)

Physical and logical protection are inextricably linked, without physical protection it is it not possible to protect assets such as the computers, laptops, servers which hold the company’s IP.  If an unauthorised person can damage, destroy or steal assets, all of the firewalls, intrusion detector systems, cryptography and other security measures will not stop them from getting access to the organisation’s IP.  It is therefore important that physical security measures are applied to prevent unauthorised users from gaining access to areas within an organisation they are not authorised to access.

Example: The organisation’s servers are located in a dedicated temperature controlled and fire resistance room.  Access to the room is from a single door which has a lock, allowing anyone access to the room at any time of day or night.  Whilst on the night shift you are walking past the room and notice the door has been left open.  You open the door and the cleaner is inside the room, sitting at a desk looking at the screen.  You challenge the cleaner, their response is that they had a key to clean the room, unaccompanied.

There is 1 Physical Protection (PE) capability an organisation should maintain. 

DomainCapability
Physical Protection (PE)C028 – Limit physical access

11. Risk Assessment (RA)

Managing cyber-attacks and the consequences of a cyber-attack is an enterprise wide risk management issue.  Cyber-attacks can impact any part of an organisation from the board room to the shop floor and extend through the organisation’s supply chain.  Attacks can be targeted or general and can range in impact from minor disruption with no data theft to ransomware attacks which can bankrupt an organisation and lead to the theft of its most critical IP.  With such a range of possible threats and outcomes it is important that an organisation identifies and manages those risks which it believes are the most significant.  Defining its ‘risk appetite’ and identifying those risks it is willing to accept and those which it is not, putting in place the necessary mitigating actions to manage those risks appropriately.  Given the economic impact and return on investment (ROI) which the company needs to assess.

Example:  The organisation has completed an assessment of its cybersecurity using NIST 800-171R2.  It has estimated that to comply fully with all the identified practices it must spend an additional $10Mn.  A significant investment in technology, people and processes.  In order that the company can identify the most effective way to move forward, it has agreed to identify all of the FCI and CUI data it manages on behalf of its customers and suppliers.  Identifying the risk to the company should this data be stolen, damaged or destroyed and putting in place a risk register and associated plan of action and milestones (POAM).  The POAM defines the necessary controls and mitigating actions and appropriate investment to secure the FCI and CUI, based upon the risk to the organisation and return on investment (ROI).

There are 3 Risk Assessment (RA) capabilities an organisation should maintain.

DomainCapability
Risk Assessment (RA)C031 – Identify and evaluate risk
C032 – Manage risk
C033 – Manage supply chain risk

12. Security Assessment (CA)

Security assessment is an evaluation of the security posture of the organisation.  Based upon its ability to manage its cyber risk profile.  Identifying its inherent risks, assessing the effectiveness of its controls environment and evaluating its residual risk profile.  It is an exercise which continually evolves and improves based upon the changing business environment.  It can be managed through the creation, adoption and management of a systems security plan (SSP).  A document in which an organisation describes the security controls in use across its information system, their effectiveness and method of oversight and assurance.  Once completed an SSP provides a detailed narrative of the roles and responsibilities for security management and reporting within the organisation, the organisation’s security control implementation, detailed system descriptions, component and services inventory and detailed depictions of the system’s data flows within the organisation.

Example:  The organisation is developing its manufacturing to include the manufacture of a new product on behalf of its customer.  Requiring the addition of new design, manufacturing and sales capacity.  Requiring the additional investment in CAD, PDM & ERP and shop floor machine tools.  These new systems will need to be assessed and secured appropriately in-line with the organisation’s current security practices (NIST 800-171 R2) and the organisation’s SSP updated to reflect their addition to the company and security requirement to protect the CUI they will manage.

There are 3 Security Assessment (CA) capabilities an organisation should maintain. 

DomainCapability
Security Assessment (CA)C034 -Develop and manage a system security plan.
C035 – Define and manage controls.
C036 – Perform code reviews.

13. System Communications Protection (SC)

Organisations use a wide variety of technology devices to conduct their business operations.  Devices which are connected to form an ecosystem for the creation, transmission, consumption and servicing of data, which is unique to their business operations.  All these devices, networks, communications, and data need to be secured appropriately.  To do this it is important that an organisation has a clear view of its perimeter, including technology, processes, people and data, the maturity of the security solutions across these domains and has appropriate designs in place to leverage all the security solutions available to provide an adequate level of security.  Including network security, access management, data loss prevention, code security, encryption and sand-boxing amongst other practices.

Example: The organisation is subcontracting the manufacture of a component required as part of a contract with the DoD, to a third-party supplier.  This requires the regular transmission of CUI between both parties.  The organisation will need to identify the data flows between both parties and the systems which will create, transmit and secure the relevant CUI throughout the life cycle of the product procurement, design, manufacture, delivery and maintenance.  Ensuring that the appropriate controls have been applied to secure the data through its lifestyle between itself and the third-party supplier.

CMMC defines 2 System Communications Protection capabilities.

There are 3 Security Assessment (CA) capabilities an organisation should maintain

DomainCapability
Systems and Communications Protection (SC)C038 – Define security requirements for systems and communications.
C039 – Control communications at system boundaries.

14. System Information Integrity (SI)

Information integrity is a critical requirement to maintaining the confidentiality, integrity and availability of FCI and CUI which is the primary goal of information security and cyber risk management.  It requires the adoption of a broad range of security practices including the remediation of known software flaws (security by design, vulnerability scanning and patch management), the identification and management of malicious software (Anti-Virus), SPAM protection (the identification and removal of known sources of SPAM at all entry points), systems monitoring (the identification and alert of changes in systems security), the oversight of security alerts, advisories and directives (the assessment of security threats), information output handling and retention (information is handled in line with federal laws).

Example:  A member of staff receives a SPAM email, which contains a link to a malicious website.  They click on the link which subsequently downloads malicious code to their laptop.  The antivirus software on their laptop has not been updated for several weeks and therefore did not detect the payload which was installed on the employees laptop, and enabled the Remote Desktop Protocol (RDP) on the device.  Giving the hacker direct access to the laptop and enabling them to control the device remotely.  Gaining a foothold on to the network.

CMMC defines 4 Systems Information Integrity (SI) capabilities.

DomainCapability
Systems and Information Integrity (SI)C040 – Identify and manage information system flaws.
C041 – Identify malicious content.
C042 – Perform network and system monitoring.
C043 – Implement advanced email protections.