Domain Requirements for CMMC Compliance Checklist

A Guide to the Cybersecurity Maturity Model Certification (CMMC)

Since 2018, in the U.S., every contractor and subcontractor who deals in Controlled Unclassified Information or CUI must comply with NIST SP 800 171. According to the compliance requirements, the contractors can self-assess their data security systems or go for a third-party evaluation. This led to only a few vendors across the Defense Industrial Base become DFARS compliant. CMMC cybersecurity or Cybersecurity Capability Maturity Model is a way devised by the U.S. government to fix the compliance problem. 


CMMC certification is not optional. Instead, every business wanting to win government contracts with the DoD should have CMMC certification. Contractors and subcontractors working under the U.S. government are different from one another. Thus, the CMMC model addresses every Defense Industrial Base vendor that deals with CUI. 

The CMMC compliance model comprises 17 domains. Each domain has set of capabilities for data security. A majority of these domains have been taken out from the FIPS 200 and NIST SP 800 171. 


In this blog, we will look into each of the domains in the CMMC model and how to comply with the regulation. 

  • Access Control 

It’s essential to establish who can access your system, who has the authority to control internal access to the system, and limit access to the data. 


  • Asset Management

Asset management involves locating, identifying, and taking inventory of the assets of a company. 


  • Audit & Accountability

To comply with the audit and accountability control, the company should have a process that can track the users with access to the CUI. It’s also essential to have a mechanism to audit the logs to ensure accountability. 


  • Awareness & Training

The compliance requirement states that one should have a provision for security awareness training for all the personnel. 


  • Configuration Management

One should establish baselines for the configuration of the systems to check if they are working efficiently or not.


  • Identification & Authentication

Ensure the proper roles within your organization have the correct level of access and can be authenticated for reporting and accountability purposes. 

The identification and authentication control necessitates that every person in the organization has a defined role and level of access to the system. There should be a proper channel to authenticate the roles for reporting purposes. 

  • Incident Response

The company should create an incident response plan that can detect and report cyber breach incidents and implement responses against the incident. 


  • Maintenance

The new cybersecurity compliance requires a company to have a maintenance system for the effective operation of systems. 


  • Media Protection

According to the compliance norms, the company must provide proof that its media is adequately marked for ease of access. Besides this, one should be able to prove that they have taken all necessary protocols to protect, sanitize, and transport the media. 


  • Personnel Security

You must make sure that all the personnel within your organization are thoroughly screened. The compliance requirement states that a company should provide evidence that Controlled Unclassified Information is protected at all times. 


  • Physical Protection

The compliance norms require that the company provide evidence that the assets are well protected through robust physical security.