CMMC 2.0
Cybersecurity Maturity Model Certification for defense industrial base
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (14)
Access Control
| Code | Title |
|---|---|
| AC.L2-3.1.1 | Authorized Access Control |
| AC.L2-3.1.10 | Session Lock |
| AC.L2-3.1.11 | Session Termination |
| AC.L2-3.1.12 | Control Remote Access |
| AC.L2-3.1.13 | Remote Access Confidentiality |
| AC.L2-3.1.14 | Remote Access Routing |
| AC.L2-3.1.15 | Privileged Remote Access |
| AC.L2-3.1.16 | Wireless Access Authorization |
| AC.L2-3.1.17 | Wireless Access Protection |
| AC.L2-3.1.18 | Mobile Device Connection |
| AC.L2-3.1.19 | Encrypt CUI on Mobile |
| AC.L2-3.1.2 | Transaction & Function Control |
| AC.L2-3.1.20 | External Connections |
| AC.L2-3.1.21 | Portable Storage Use |
| AC.L2-3.1.22 | Control Public Information |
| AC.L2-3.1.3 | Control CUI Flow |
| AC.L2-3.1.4 | Separation of Duties |
| AC.L2-3.1.5 | Least Privilege |
| AC.L2-3.1.6 | Non-Privileged Account Use |
| AC.L2-3.1.7 | Privileged Functions |
| AC.L2-3.1.8 | Unsuccessful Logon Attempts |
| AC.L2-3.1.9 | Privacy & Security Notices |
Audit and Accountability
| Code | Title |
|---|---|
| AU.L2-3.3.1 | System Auditing |
| AU.L2-3.3.2 | User Accountability |
| AU.L2-3.3.3 | Event Review |
| AU.L2-3.3.4 | Audit Failure Alerting |
| AU.L2-3.3.5 | Audit Correlation |
| AU.L2-3.3.6 | Reduction & Reporting |
| AU.L2-3.3.7 | Time Stamps & Synchronization |
| AU.L2-3.3.8 | Audit Protection |
| AU.L2-3.3.9 | Audit Management |
Awareness and Training
| Code | Title |
|---|---|
| AT.L2-3.2.1 | Role-Based Risk Awareness |
| AT.L2-3.2.2 | Role-Based Training |
| AT.L2-3.2.3 | Insider Threat Awareness |
Configuration Management
| Code | Title |
|---|---|
| CM.L2-3.4.1 | System Baselining |
| CM.L2-3.4.2 | Security Configuration Enforcement |
| CM.L2-3.4.3 | System Change Management |
| CM.L2-3.4.4 | Security Impact Analysis |
| CM.L2-3.4.5 | Access Restrictions for Change |
| CM.L2-3.4.6 | Least Functionality |
| CM.L2-3.4.7 | Nonessential Functionality |
| CM.L2-3.4.8 | Application Execution Policy |
| CM.L2-3.4.9 | User-Installed Software |
Identification and Authentication
| Code | Title |
|---|---|
| IA.L2-3.5.1 | Identification |
| IA.L2-3.5.10 | Cryptographically-Protected Passwords |
| IA.L2-3.5.11 | Obscure Feedback |
| IA.L2-3.5.2 | Authentication |
| IA.L2-3.5.3 | Multifactor Authentication |
| IA.L2-3.5.4 | Replay-Resistant Authentication |
| IA.L2-3.5.5 | Identifier Reuse |
| IA.L2-3.5.6 | Identifier Handling |
| IA.L2-3.5.7 | Password Complexity |
| IA.L2-3.5.8 | Password Reuse |
| IA.L2-3.5.9 | Temporary Passwords |
Incident Response
| Code | Title |
|---|---|
| IR.L2-3.6.1 | Incident Handling |
| IR.L2-3.6.2 | Incident Reporting |
| IR.L2-3.6.3 | Incident Response Testing |
Maintenance
| Code | Title |
|---|---|
| MA.L2-3.7.1 | Perform Maintenance |
| MA.L2-3.7.2 | System Maintenance Control |
| MA.L2-3.7.3 | Equipment Sanitization |
| MA.L2-3.7.4 | Media Inspection |
| MA.L2-3.7.5 | Nonlocal Maintenance |
| MA.L2-3.7.6 | Maintenance Personnel |
Media Protection
| Code | Title |
|---|---|
| MP.L2-3.8.1 | Media Protection |
| MP.L2-3.8.2 | Media Access |
| MP.L2-3.8.3 | Media Disposal |
| MP.L2-3.8.4 | Media Markings |
| MP.L2-3.8.5 | Media Accountability |
| MP.L2-3.8.6 | Portable Storage Encryption |
| MP.L2-3.8.7 | Removable Media |
| MP.L2-3.8.8 | Shared Media |
| MP.L2-3.8.9 | Protect Backups |
Personnel Security
| Code | Title |
|---|---|
| PS.L2-3.9.1 | Screen Individuals |
| PS.L2-3.9.2 | Personnel Actions |
Physical Protection
| Code | Title |
|---|---|
| PE.L2-3.10.1 | Limit Physical Access |
| PE.L2-3.10.2 | Monitor Facility |
| PE.L2-3.10.3 | Escort Visitors |
| PE.L2-3.10.4 | Physical Access Logs |
| PE.L2-3.10.5 | Manage Physical Access |
| PE.L2-3.10.6 | Alternative Work Sites |
Risk Assessment
| Code | Title |
|---|---|
| RA.L2-3.11.1 | Risk Assessments |
| RA.L2-3.11.2 | Vulnerability Scan |
| RA.L2-3.11.3 | Vulnerability Remediation |
Security Assessment
| Code | Title |
|---|---|
| CA.L2-3.12.1 | Security Control Assessment |
| CA.L2-3.12.2 | Plan of Action |
| CA.L2-3.12.3 | Security Control Monitoring |
| CA.L2-3.12.4 | System Security Plan |
System and Communications Protection
| Code | Title |
|---|---|
| SC.L2-3.13.1 | Boundary Protection |
| SC.L2-3.13.10 | Key Management |
| SC.L2-3.13.11 | CUI Encryption |
| SC.L2-3.13.12 | Collaborative Device Control |
| SC.L2-3.13.13 | Mobile Code |
| SC.L2-3.13.14 | Voice over Internet Protocol |
| SC.L2-3.13.15 | Communications Authenticity |
| SC.L2-3.13.16 | Data at Rest |
| SC.L2-3.13.2 | Security Engineering |
| SC.L2-3.13.3 | Role Separation |
| SC.L2-3.13.4 | Shared Resource Control |
| SC.L2-3.13.5 | Public-Access System Separation |
| SC.L2-3.13.6 | Network Communication by Exception |
| SC.L2-3.13.7 | Split Tunneling |
| SC.L2-3.13.8 | Data in Transit |
| SC.L2-3.13.9 | Connections Termination |
System and Information Integrity
| Code | Title |
|---|---|
| SI.L2-3.14.1 | Flaw Remediation |
| SI.L2-3.14.2 | Malicious Code Protection |
| SI.L2-3.14.3 | Security Alerts & Advisories |
| SI.L2-3.14.4 | Update Malicious Code Protection |
| SI.L2-3.14.5 | System & File Scanning |
| SI.L2-3.14.6 | Monitor Communications for Attacks |
| SI.L2-3.14.7 | Identify Unauthorized Use |
Your Compliance Coverage
If you comply with CMMC 2.0, you already cover:
NIST SP 800-53 Rev 5
29%
32 controls mapped
Compare →CMMC 2.0 Level 1
15%
17 controls mapped
Compare →NIST Cybersecurity Framework 2.0
6%
7 controls mapped
Compare →+ 2 more: DFARS 252.204-7012 - Safeguarding Covered Defense Information (3%), DISA Security Technical Implementation Guides (STIGs) (3%)
See all 5 mapped frameworks ↓Maps to 5 other frameworks
Frequently Asked Questions
What is CMMC 2.0?
CMMC 2.0 is a compliance framework from United States with 14 domains and 110 controls. Cybersecurity Maturity Model Certification for defense industrial base It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does CMMC 2.0 have?
CMMC 2.0 has 110 controls organised across 14 domains. The largest domains are Access Control (22 controls), System and Communications Protection (16 controls), Identification and Authentication (11 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does CMMC 2.0 map to?
CMMC 2.0 maps to 5 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (29% coverage), CMMC 2.0 Level 1 (15% coverage), NIST Cybersecurity Framework 2.0 (6% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with CMMC 2.0 compliance?
Start your CMMC 2.0 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CMMC 2.0 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 110 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required