Capabilities: Embedding the FCI and CUI protection

Cybersecurity capabilities are an important component for the protection of FCI and CUI data.  Capabilities are not single outcomes but a combination of processes, skills, knowledge, tools and behaviours which work together to enable an organisation to deliver a specific security outcome.  The CMMC framework defines 43 cybersecurity capabilities associated with 17 security domains.  Which should be achieved by an organisation for each level of maturity (Level 1, 2, 3, 4 or 5), if the associated cybersecurity practices are deployed and managed appropriately.

The 17 security domains and associated 43 capabilities are detailed below.

CMMC Domains and associated cybersecurity capabilities
  • C001: Establish systems access requirements
  • C002: Control internal systems access.
  • C003: Control remote systems access.
  • C004: Limit data access to authorised users and processes.
  • C005: Identify and document assets.
  • C006: Manage asset inventory.
  • C007: Define audit requirements.
  • C008: Perform auditing.
  • C009: Identify and protect audit information.
  • C010: Review and manage audit logs.
  • C011: Conduct security awareness activities.
  • C012: Conduct training.
  • C013: Establish configuration baselines.
  • C014: Perform configuration and change management.
  • C015: Grant access to authenticated entities.
  • C016: Plan incident response.
  • C017: Detect and report events.
  • C018: Develop and implement a response to a declared incident.
  • C019: Perform post incident reviews.
  • C020: Test incident response.
  • C021: Manage maintenance.
  • C022: Identify and mark media.
  • C023: Protect and control media.
  • C024: Sanitise media.
  • C025: Protect media during transport.
  • C026: Screen Personnel.
  • C027: Protect CUI during personnel actions.
  • C028: Limit physical access.
  • C029: Manage backups.
  • C030: Manage information security continuity.
  • C031: Identify and evaluate risk.
  • C032: Manage risk.
  • C033: Manage supply chain risk.
  • C034: Develop and manage a system security plan.
  • C035: Define and manage controls.
  • C036: Perform code reviews.
  • C037: Implement threat monitoring.
  • C038: Define security requirements for systems and communications.
  • C039: Control communications at systems boundaries.
  • C040: Identify and manage information systems flows.
  • C041: Identify malicious content.
  • C042: Perform network and system monitoring.
  • C043: Implement advanced email protections.