CMMC Domain Coverage Map: All 14 Domains Explained

CMMC Domain Coverage Map: All 14 Domains Explained

CMMC Level 2 covers 110 security practices across 14 domains. Each domain addresses a distinct area of cybersecurity. Understanding what each domain covers — and how many practices it contains — is essential for scoping your preparation.

Here's the complete map.

Access Control (AC) — 22 Practices

The largest domain. AC controls who can access your systems, networks, and data. Key areas include:

• Limiting system access to authorized users
• Controlling access to CUI based on approved authorizations
• Enforcing separation of duties
• Using least-privilege principles
• Controlling remote access sessions
• Controlling access via mobile devices

AC is where most organizations have the most work to do. It touches identity management, network segmentation, and access review processes.

System and Communications Protection (SC) — 16 Practices

The second-largest domain. SC focuses on protecting data in transit and at rest:

• Monitoring and controlling communications at system boundaries
• Using FIPS-validated encryption for CUI
• Prohibiting remote activation of collaborative computing devices
• Controlling and protecting the use of Voice over IP
• Protecting the authenticity of communications sessions

SC often requires significant technical investment — encryption, boundary protection devices, and network monitoring tools.

Identification and Authentication (IA) — 11 Practices

IA ensures that users and devices are who they claim to be:

• Identifying and authenticating users, processes, and devices
• Using multi-factor authentication for network and privileged access
• Employing replay-resistant authentication mechanisms
• Preventing reuse of identifiers and passwords
• Enforcing password complexity and change requirements

MFA implementation is one of the most frequently assessed practices in this domain.

Configuration Management (CM) — 9 Practices

CM ensures systems are configured securely and consistently:

• Establishing baseline configurations
• Tracking and controlling configuration changes
• Analyzing security impact of changes before implementation
• Enforcing configuration settings across the organization
• Restricting, disabling, or preventing nonessential functions

Audit and Accountability (AU) — 9 Practices

CMMC Level 2 Domain Overview

CMMC Level 2 includes 110 security practices across 14 domains:

1. Access Control (AC) — 22 Practices

CMMC Level 2 Domain Summary

Below is a concise, domain-by-domain reference based on your content, suitable as a quick study or evidence-mapping aid.

Domain Overview Table

| Domain | Abbrev | Practices | Core Focus | Primary Assessor Question |

|--------------------------------------|--------|-----------|-------------------------------------------------------------------|-------------------------------------------------------------------------------------------|

| Access Control | AC | 22 | Who can access what, from where, and under what conditions | “Show me how you control who accesses CUI and prove that unauthorized access is prevented.” |

| Awareness and Training | AT | 3 | Making sure personnel understand and can execute security duties | “Show me training records for the last 12 months. Can your sysadmin explain their IR role?” |

| Audit and Accountability | AU | 9 | Logging, protecting, and reviewing system activity | “Show me the last time you investigated a security alert and what actions were taken.” |

| Configuration Management | CM | 9 | Secure baselines and controlled, reviewed changes | “Show me your baseline and walk me through your last change request and security review.” |

| Identification and Authentication | IA | 11 | Strong, unique IDs and MFA for users/devices | “How do you enforce MFA for all privileged accounts? Show enrollment and exceptions.” |

| Incident Response | IR | 3 | Preparing for, detecting, and handling incidents | “Walk me through your last incident or your last tabletop exercise.” |

| Maintenance | MA | 6 | Secure on-site and remote maintenance | “How do you handle remote maintenance? Show access logs and approvals.” |

| Media Protection | MP | 9 | Protecting CUI on physical/digital media throughout its lifecycle | “What happens when a laptop is decommissioned? Show media sanitization records.” |

| Personnel Security | PS | 2 | Screening and managing people with CUI access | “What happens to access when someone leaves or changes roles? Show the last termination.” |

| Physical Protection | PE | 6 | Controlling physical access to facilities and equipment | “Who has physical access to your server room? Show the last 30 days of access logs.” |

| Risk Assessment | RA | 3 | Identifying, analyzing, and prioritizing risks | “Show recent vulnerability scans. How do you prioritize remediation?” |

| Security Assessment | CA | 4 | Evaluating and improving controls over time | “Show your SSP, when it was last updated, and whether it matches reality.” |

| System and Communications Protection | SC | 16 | Protecting data in transit and at boundaries | “Show how CUI is encrypted in transit/at rest and walk through network segmentation.” |

| System and Information Integrity | SI | 7 | Patching, malware defense, and detecting unauthorized use | “How quickly do you apply critical patches? Show last quarter’s patching timeline.” |

High-Impact Domains to Prioritize

• Access Control (AC – 22 practices): Largest domain; touches every user, system, and data flow. Weak AC undermines many other controls.
• System and Communications Protection (SC – 16 practices): Second-largest; covers network boundaries, segmentation, and encryption.

Together, AC + SC = 38 practices (~35% of Level 2). Getting these two domains right provides disproportionate coverage for your assessment.

Common Cross-Domain Gaps to Watch

• Evidence vs. reality: SSP, baselines, and procedures exist on paper but don’t match live systems (CA, CM, AC, SC).
• Unreviewed logs: Logging is enabled but not regularly reviewed or correlated (AU, IR, SI).
• Partial MFA: MFA only for remote access, not for local privileged accounts (IA, AC).
• Unmanaged remote/alternate work: Home offices and remote maintenance lack strong controls (PE, MA, AC, SC).
• Training without records: Training is done informally with no documentation or role-based differentiation (AT, IR).
• Scanning without fixing: Vulnerability scans run, but remediation is not tracked or prioritized (RA, SI, CA).

Using This Map for Preparation

• Self-assess by domain: Score each practice as MET / PARTIAL / NOT MET and tally by domain.
• Target remediation: Focus first on domains with the most NOT MET items, especially AC, SC, AU, CM, IA, and SI.
• Organize evidence binders: One section per domain, aligned to these focus areas and assessor questions.
• Rehearse with scenarios: Practice walking assessors through: a recent change (CM), an incident or tabletop (IR), a scan and remediation cycle (RA/SI), and how CUI flows and is protected (AC/SC/MP).

CMMC Level 2 Domains and Practice Counts

CMMC Level 2 includes 110 security practices organized into 14 domains:

1. Access Control (AC) — 22 practices
2. System and Communications Protection (SC) — 16 practices
3. Identification and Authentication (IA) — 11 practices
4. Configuration Management (CM) — 9 practices
5. Audit and Accountability (AU) — 9 practices
6. Media Protection (MP) — 9 practices
7. System and Information Integrity (SI) — 7 practices
8. Maintenance (MA) — 6 practices
9. Physical Protection (PE) — 6 practices
10. Security Assessment (CA) — 4 practices
11. Risk Assessment (RA) — 3 practices
12. Awareness and Training (AT) — 3 practices
13. Incident Response (IR) — 3 practices
14. Personnel Security (PS) — 2 practices

Preparation focus: Most organizations start with the highest-impact domains: AC, SC, and IA, since together they represent nearly half of all Level 2 practices and drive much of the technical and procedural effort.

The Cubelet CMMC Simulator supports practicing by domain, treating each practice as a "knowledge atom" with six facets of understanding to help build real readiness rather than simple checkbox compliance.