What are the CMMC Capabilities?

Does your business need to get ready for a Cybersecurity Maturity Model Certification (CMMC) audit? One of the first steps in that business-critical process is getting familiar with the CMMC framework, including its structure and key terms.

If you’ve taken a look at the latest version of the CMMC Model, version 1.02 document, you know that the CMMC is a “maturity model” that defines compliance in terms of five maturity levels and associated maturity processes. The CMMC framework organizes 173 practices (aka controls) into 17 domains (including the “families” set forth by NIST SP 800-171). To add some additional structure, the practices within each domain are mapped to a total of 43 capabilities.

What are the CMMC capabilities all about? We hope you find these FAQs helpful.

What are the 43 CMMC capabilities?

The National Institute of Standards and Technology (NIST), defines a capability as ‘a set of mutually reinforcing security controls implemented by technical, physical, and procedural means. The controls that fall within each capability achieve a common information security-related purpose (e.g., Control internal system access).’ There are 43 CMMC capabilities that map to the 17 CMMC domains.

This table shows how the 43 CMMC capabilities fit into the 17 CMMC domains:

Access Control (AC) · Establish system access requirements
· Control internal system access
· Control Remote system access
· Limit data access to authorized users and processes
Asset Management (AM) · Identify and document assets
Audit and Accountability (AU) · Define audit requirements
· Perform auditing
· Identify and protect audit information
· Review and manage audit logs
Awareness and Training (AT) · Conduct security awareness activities
· Conduct training
Configuration Management (CM) · Establish configuration baselines
· Perform configuration and change management
Identification and Authentication (IA) · Grant access to authenticated entities
Incident Response (IR) · Plan incident response
· Detect and report events
· Develop and implement a response to a declared incident
· Perform post incident reviews
· Test incident response
Maintenance (MA) · Manage maintenance
Media Protection (MP) · Identify and mark media
· Protect and control media
· Sanitize media
· Protect media during transport
Personal Security · Screen personnel
· Protect CUI during personnel actions
Physical Protection (PE) · Limit physical access
Recovery (RE) · Manage back-ups
Risk Management (RM) · Identify and evaluate risk
· Manage risk
Security Assessment (CA) · Develop and manage a system security plan
· Define and manage controls
· Perform code reviews
Situational Awareness (SA) · Implement threat monitoring
Systems and Communications Protection (SC) · Define security requirements for systems and communications
· Control communications at system boundaries
System and Information Integrity (SI) · Identify and manage information system flaws
· Identify malicious content
· Perform network and system monitoring
· Implement advanced email protections

Some of the domains don’t specify practices for every capability at every level. For example, some of the capabilities come into play only at higher CMMC maturity levels. However, because the CMMC practices are cumulative across levels, all the lower-level practices will be required at higher levels.

For example, in the Asset Management (AM) domain, there are no practices required for capability C006, Manage asset inventory, until Level 4. This means that CMMC certification at levels 1, 2 or 3 do not mandate compliance with any practices for that C006 capability. However, at Level 4 (and thus also at Level 5), practice AM.4.226 is required. No further practices are mandated at Level 5, so Level 5 certification for this capability would require you to implement only AM.4.226.

What is the purpose of the 43 CMMC capabilities?

Capabilities can be used to simplify the design of a CMMC cybersecurity program as they provide an additional hierarchical mapping mechanism that falls between the 17 Domains and the 130 controls. For example, the Access Control domain is mapped to 4 capabilities that logically group the 26 controls within the domain.

Do we have to comply with the CMMC capabilities?

To concretely prove compliance with each capability, an Organization Seeking Certification (OSC) must demonstrate that it adheres to various practices (administrative,  technical, policy and process controls), including indicators of how well the practices have been operationalized as required for the applicable CMMC maturity level.

How can we leverage the CMMC capabilities to help us get certified?

When you are reviewing/comparing the CMMC standard against your environment, the capabilities provide additional structure to the [best] practices within each CMMC domain. These “subgroups” can help you judge whether your organization has implemented, and has culturally adopted, a particular set of practices, or not.

For example, if you were to step through the domains and capabilities one by one, you’d probably start with practice AC.1.001 within the “Establish system access requirements” capability within the Access Control (AC) domain. As you go along, you could record the status of each capability (or individual practices) in relation to your chosen CMMC level; for example, as “implemented,” “not implemented,” “not in scope,” etc.

Next steps

Many DIB companies lack sufficient in-house expertise and resources to prepare for CMMC assessment on their own, especially if they need to comply with CMMC Level 3 or above (required for handling Controlled Unclassified Information or CUI).

To connect with a CMMC expert to discuss your specific CMMC compliance questions, contact Pivot Point Security.