CMMC Level 4 Controls
Domain AC: Access Control
The AC control family consists of processes and procedures for regulating who or what can access your organization’s systems, assets and protected data.
Domain AM: Asset Management
Identifying and effectively documenting your organization’s devices and services (e.g., hardware, software, licenses) ensures control over your IT assets and facilitates quick identification and resolution of problems.
Domain AT: Awareness and Training
Through routine awareness and training programs, your staff will learn how to avoid cyberattacks and best safeguard your data and assets, building a culture of cybersecurity within your company.
Domain AU: Audit and Accountability
This family of controls covers your organization’s policies and procedures for defining audit requirements; performing audits of user and system activities; and creating, logging, reviewing, reporting, and protecting audit trails to promote accountability and identify security flaws or violations.
Domain CA: Security Assessment
Routine security assessments and tests must be performed to identify vulnerabilities, minimize gaps in security, and ensure that all necessary security policies, practices and procedures are in place and effective.
Domain CM: Configuration Management
Configuration management activities establish and maintain the integrity of IT assets and systems through delineated processes for setting their baseline configurations, documenting approved changes, and monitoring for unapproved changes.
Domain IA: Identification and Authentication
These security techniques verify that an individual attempting to access your organization’s system through a user account is in fact the authorized user.
Domain IR: Incident Response
A regularly updated incident response plan prepares your organization with set instructions for the prompt and effective detection of, response to and recovery from a cybersecurity incident.
Domain MA: Maintenance
The MA control family details requirements for maintaining your organization’s systems and tools to prevent failures and outages and ensures security measures remain effective.
Domain MP: Media Protection
These controls secure information stored on digital and non-digital media or devices (e.g., USB drives, hard drives, paper hard copies) through procedures for media use, access, marking, storage, transport, sanitization and downgrading.
Domain PE: Physical Protection
Protecting information systems and data requires the physical security of the facilities that house them from all manner of threats (e.g., theft, natural disaster, accidents).
Domain PS: Personnel Security
Personnel security practices ensure that employees, contractors and third-party users have been screened and found suitable prior to being granted access to your organization’s systems, as well as establish procedures to protect your systems when personnel leave their positions, to reduce the risk of theft, insider threat, fraud or misuse.
Domain RE: Recovery
Maintaining plans to restore capabilities or services impaired by a cybersecurity event, including securely backing up and protecting data, allows organizations to minimize damage and quickly resume normal operations.
Domain RM: Risk Management
RM controls involve identifying, assessing, mitigating and monitoring risks to your organization’s IT systems and data, actively working to reduce risk to an acceptable level.
Domain SA: Situational Awareness
Proactively monitoring threats and collecting reliable, actionable intelligence from outside sources regarding the threat landscape will optimize an organization’s ability to detect and neutralize current threats.
Domain SC: Systems and Communications Protection
The SC control family includes techniques for securing your organization’s network boundaries and communications (e.g., boundary protection, cryptographic protection, denial-of-service protection).
Domain SI: System and Information Integrity
SI controls protect system and information integrity by identifying and remediating flaws and malicious content through routine actions, such as network and system monitoring, security alerts, and patch application.