Access Control (AC)
It’s a fundamental security domain and a set of security principles applied to both - physical and logical assets. CMMC defines 4 Access Control capabilities – Establish system access requirements, Control internal system access, Control remote system access, Limit data access to authorized users and processes.
Asset Management (AM)
An organization consists of many tangible and intangible assets - like buildings, laptops, people, PCs, and data. More assets mean a broader ‘attack surface’. CMMC defines 2 Asset Management (AM) capabilities - Identify and document assets, Manage asset inventory.
Awareness and Training (AT)
Being Forewarned is staying Forearmed. To identify and manage a cyber threat, an organization has to be aware of what they are and get trained to identify and handle them. CMMC defines 2 Awareness and Training (AT) capabilities -Conduct security awareness activities and Conduct training.
Audit and Accountability (AU)
Audit logging is an important requirement for system governance and is used in versatile activities. CMMC defines 4 Audit and Accountability (AU) capabilities – Define audit requirements, perform auditing, Identify and protect audit information, and Review and manage audit logs.
Configuration Management (CM)
It helps establish a consistent, controlled, and audited process to manage system changes and subsequently system security, performance, and functionality. CMMC defines 2 Configuration Management (CM) capabilities – Establish configuration baselines and Perform configuration and change management.
Identification and Authentication (IA)
Before allowing users to access systems, they need to be identified and authenticated. It keeps systems secure and free of nonauthorized access. CMMC defines 1 Identification and Authentication (IA) capability - Grant access to authenticated entities.
Incident Response (IR)
An IR plan is a clear set of actions to detect, respond and recover from an attack. CMMC defines 5 Incident Response (IR) capabilities – Plan incident response. Detect and report events, Develop and implement a response to a declared incident, Perform post-incident reviews, and Test incident response.
Maintenance (MA)
Frequent system maintenance ensures operations are running smoothly and minimizes the risks of breakdown. It helps find the vulnerabilities and prevent threats even before occurring. CMMC defines 1 Maintenance (MA) capability - Manage maintenance.
Media Protection (MP)
Data is the life and blood of modern organizations, hence needs to be protected in whatever form it takes, logical or physical. CMMC defines 4 Media Protection (MP) capabilities - Identify and mark media, Protect and control media, sanitize media, and Protect media during transport.
Personnel Security (PS)
The most important asset of an organization is its people, yet some of the largest security attacks and data breaches occur from inside making personal security all the more important. CMMC defines 2 Personnel Security (PS) capabilities – Screen personnel and Protect CUI during personnel actions.
Physical Protection (PE)
Physical and logical protection go hand in hand. You cannot protect assets such as computers, laptops, servers holding the company’s IP without Physical Protection. Physical protection ensures the safety of the organization’s IP infrastructure. CMMC defines 1 Physical Protection (PE) capability - Limit physical access.
Recovery (RE)
IT and system failures are part of organizations operating environment. A recovery plan Protects its assets, IP, FCI, CUI, and helps overcome specific disaster scenarios possible threats. CMMC defines 2 Recovery (RE) capabilities - Manage backups and Manage information security continuity.
Risk Management (RM)
An efficient Risk Management helps manage cyber-attacks and their consequences by identifying and managing the most significant of such risks, threats, or attacks. CMMC defines 3 Risk Management (RM) capabilities - Identify and evaluate risk, manage risk, and Manage supply chain risk.
Security Assessment (CA)
Security Assessment means evaluating security measures undertaken by the organization to manage its cyber risk profile. CMMC defines 3 Security Assessment (CA) capabilities - Develop and manage a system security plan, Define and manage controls, and Perform code reviews.
Situational Awareness (SA)
Cyber-attack is an impending threat to almost all organizations. Situational Awareness allows organizations to identify the threats which apply to their business either directly or indirectly. CMMC defines 1 Situational Awareness (SA) capability - Implement threat monitoring.
Systems and Communications Protection
System Communications Protection allows organizations to get a clear view of the adequate level of security that needs to be applied. CMMC defines 2 System Communications Protection capabilities - Define security requirements for systems and communications and Control communications at system boundaries.
System and Information Integrity (SI)
It is required to maintain the confidentiality, integrity, and availability of FCI and CUI. CMMC defines 4 Systems Information Integrity (SI) capabilities - Identify and manage information system flaws, Identify malicious content, Perform network and system monitoring, and Implement advanced email protections.