Capabilities: Embedding FCI and CUI protection

Cyber capabilities are important for any organisation that wants to successfully manage cybersecurity.  Capabilities are not single outcomes but a combination of processes, skills, knowledge, tools and behaviours that work together to enable an organisation to deliver a specific security outcomes.  There are 38 cybersecurity capabilities associated with the 14 NIST SP 800- 171 security domains, which should be achieved by an organisation at each level of maturity (Level 1, 2, 3).  If the associated cybersecurity practices are deployed and managed appropriately.

The 14 NIST SP 800-171 security domains and capabilities associated with CMMC 2.0 are detailed below.

CMMC Domains and associated cybersecurity capabilities
  • C001: Establish systems access requirements
  • C002: Control internal systems access.
  • C003: Control remote systems access.
  • C004: Limit data access to authorised users and processes.
  • C007: Define audit requirements.
  • C008: Perform auditing.
  • C009: Identify and protect audit information.
  • C010: Review and manage audit logs.
  • C011: Conduct security awareness activities.
  • C012: Conduct training.
  • C013: Establish configuration baselines.
  • C014: Perform configuration and change management.
  • C015: Grant access to authenticated entities.
  • C016: Plan incident response.
  • C017: Detect and report events.
  • C018: Develop and implement a response to a declared incident.
  • C019: Perform post incident reviews.
  • C020: Test incident response.
  • C021: Manage maintenance.
  • C022: Identify and mark media.
  • C023: Protect and control media.
  • C024: Sanitise media.
  • C025: Protect media during transport.
  • C026: Screen Personnel.
  • C027: Protect CUI during personnel actions.
  • C028: Limit physical access.
  • C031: Identify and evaluate risk.
  • C032: Manage risk.
  • C033: Manage supply chain risk.
  • C034: Develop and manage a system security plan.
  • C035: Define and manage controls.
  • C036: Perform code reviews.
  • C038: Define security requirements for systems and communications.
  • C039: Control communications at systems boundaries.
  • C040: Identify and manage information systems flows.
  • C041: Identify malicious content.
  • C042: Perform network and system monitoring.
  • C043: Implement advanced email protections.