The Cybersecurity Maturity Model Certification (CMMC) is a protocol for government contracts working with the Department of Defense (and soon other agencies) to mitigate cyber security threats. Level 1 certification includes 17 unique practices, while level 2 comprises 93. There are a total of 110 practices in the 14 domains of CMMC for small business.


There are 14 unique domains that are covered by the certification:

  • AC refers to Access control with 4 essential practices for level 1. CMMC certified professional level 2 companies need to verify 18 practices.
  • AT includes awareness training appears with three practices only for level 2 certification. This may require yearly training and other related verification for key personnel.
  • AU or audit and accountability has 9 unique practices
  • CM features 9 practices in the domain of configuration management.
  • IA includes a total of 11 of unique practices for identification and authentication.
  • IR or incident response describes 3 practices.
  • MA includes 6 practices for maintenance.
  • MP or media protection comprises 9 practices.



  • PS is slightly shorter with 2 practices for personnel security
  • PE manages to address 6 practices for physical protection.
  • RA includes 3 practices to conduct risk assessment.
  • CA involves 4 practices comprising security assessment methods.



  • SC features 16 total practices addressing system & communications protection.
  • SI describes 7 best practices in system and information integrity.


Each of the practices can be addressed by looking at the definition and researching how your organization addresses it. They each refer to methods of handling CUI or controlled unclassified information. There are a lot of lists out there, especially because of the frequent changes to methods, assessment requirements and overall domain names.

These are part of CMMC v2. the DOD cyber strategy features all the domains listed above, and auditors look to these standards when authorizing federal cmmc for small business.

One great way to mitigate security threats in network security is to evaluate each of the above domains and create a strategy for addressing issues as they arise. Good CMMC defense builds on cmmc 1 and includes more robust methods of the domains which were added later especially risk assessment, security and incident response. These are some of the factors that help evaluate an organization for cmmc maturity, or essentially the capacity to address the ongoing changes to digital environments in the course of development.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>