CMMC 2.0 Capabilities

The core of the CMMC—i.e., its Security Domains—currently remains unchanged for CMMC 2.0.

In the most recent version, CMMC v1.02, the framework comprised 17 total Domains, which housed 171 Practices. There were also 43 Capabilities, which functioned as basic measures for the outcomes Practices are meant to ensure.

The breakdown of Domains, Capabilities, and Practices in CMCM v1.02 was as follows:



Access Control (AC)
  • Establish system access requirements
  • Control internal system access
  • Control Remote system access
  • Limit data access to authorized users and processes
Asset Management (AM)
  • Identify and document assets
Audit and Accountability (AU)
  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs
Awareness and Training (AT)
  • Conduct security awareness activities
  • Conduct training
Configuration Management (CM)
  • Establish configuration baselines
  • Perform configuration and change management
Identification and Authentication (IA)
  • Grant access to authenticated entities
Incident Response (IR)
  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post incident reviews
  • Test incident response
Maintenance (MA)
  • Manage maintenance
Media Protection (MP)
  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport
Physical Protection (PE)
  • Limit physical access
Recovery (RE)
  • Manage back-ups
Risk Management (RM)
  • Identify and evaluate risk
  • Manage risk
Security Assessment (CA)
  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews
Situational Awareness (SA)
  • Implement threat monitoring
Systems and Communications Protection (SC)
  • Define security requirements for systems and communications
  • Control communications at system boundaries
System and Information Integrity (SI)
  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

It remains to be seen whether CMMC 2.0 will retain some of all of these Domains, Capabilities, and Practices. It may instead default to NIST requirements.

What are the 43 CMMC 2.0 capabilities?

The National Institute of Standards and Technology (NIST), defines a capability as “a set of mutually reinforcing security controls implemented by technical, physical, and procedural means. The controls that fall within each capability achieve a common information security-related purpose (e.g., Control internal system access).” There are 43 CMMC capabilities, which map to the 17 CMMC domains.

Not all domains specify practices for every capability at every level. For example, some of the capabilities come into play only at higher CMMC maturity levels. However, because the CMMC practices are cumulative across levels, all the lower-level practices will be required at higher levels.

For example,  in the Asset Management (AM) domain, there are no practices required for capability C006, Manage asset inventory, until Level 3. This means that CMMC certification at levels 1 and 2 do not mandate compliance with any practices for that C006 capability. Note that the relationship between capabilities and practices, along with the numbering of the practices, have yet to be remapped to the new CMMC 2.0.

What is the purpose of the 43 CMMC capabilities?

Capabilities can be used to simplify the design of a CMMC cybersecurity program as they provide an additional hierarchical mapping mechanism that falls between the 17 Domains and the associated controls. For example, the Access Control domain is mapped to 4 capabilities that logically group the controls within the domain.

Do we have to comply with the CMMC capabilities?

To concretely prove compliance with each capability, an Organization Seeking Certification (OSC) must demonstrate that it adheres to various CMMC 2.0 practices (administrative, technical, policy and process controls from NIST 800-171), including indicators of how well the practices have been operationalized as required for the applicable CMMC maturity level.

How can we leverage the CMMC capabilities to help us get certified?

When you are reviewing/comparing the CMMC 2.0 standard against your environment, the capabilities add additional structure to the [best] practices within each CMMC domain. These “subgroups” can help you judge whether your organization has implemented and culturally adopted a particular set of practices, or not.

For example, if you were to step through the domains and capabilities one by one, you’d probably start with practice AC.1.001 within the “Establish system access requirements” capability within the Access Control (AC) domain. As you go along, you could record the status of each capability (or individual practices) in relation to your chosen CMMC level; for example, as “implemented,” “not implemented,” “not in scope,” etc.

image 51

Next Steps

Many DIB companies lack sufficient in-house expertise and resources to prepare for CMMC assessment on their own, especially if they need to comply with CMMC Level 2 (required for handling Controlled Unclassified Information or CUI) or Level 3.

To connect with a CMMC expert to discuss your specific CMMC compliance questions, contact Pivot Point Security.