Each domain has a dedicated reference page with practitioner commentary, assessment context, cross-domain intersections, and implementation pitfalls. Each individual control card can be opened or downloaded as a PDF.
Fourteen reference pages, one per domain. Each explains what the domain is for, how its controls organize into clusters, where they intersect with other domains, and the implementation pitfalls practitioners encounter most often in the field.
Authorization, separation of duties, session management, and how CUI flows between systems, users, and the outside world. The largest domain in the framework.
View Reference Page →Risk awareness for all personnel, role-based training for security-significant duties, and the insider threat recognition that the broader workforce must carry.
View Reference Page →Event logging, review and correlation, audit protection, and the time source that makes audit records reconcilable across the environment.
View Reference Page →System baselines, change management with security impact analysis, least functionality, and the software execution policies that govern what can run.
View Reference Page →Identifier lifecycle, authentication mechanisms, multi-factor requirements, and password management that increasingly inherits NIST SP 800-63B expectations.
View Reference Page →The full incident handling lifecycle, the DFARS 72-hour reporting obligation, and the response testing that validates the plan before it is needed.
View Reference Page →Controlled maintenance, sanitization of equipment leaving the environment, media inspection, MFA on remote maintenance, and personnel supervision.
View Reference Page →Protection of CUI across paper and digital media throughout its lifecycle, including disposal, transport, and the removable media use controls.
View Reference Page →Facility access control, visitor management, physical access logs, and the protection of CUI at home offices and other alternate work sites.
View Reference Page →Pre-access screening and the protection of systems during personnel actions. The smallest domain, yet its output feeds almost every other domain.
View Reference Page →Periodic risk assessment, vulnerability scanning, and risk-informed remediation. The analytical foundation that prioritizes every other control decision.
View Reference Page →Self-assessment, the Plan of Action and Milestones, continuous monitoring, and the System Security Plan. The self-governance layer of the program.
View Reference Page →Network boundary protection, cryptographic mechanisms for CUI in transit and at rest, key management, and specialized technology controls.
View Reference Page →Flaw remediation, malicious code protection, security alert monitoring, and the identification of unauthorized use that the authorization-first reading requires.
View Reference Page →All 110 CMMC Level 2 controls, organized by domain. Click any control to view its reference card. Each card sources its assessment objectives, methods, and artifacts verbatim from the CMMC Assessment Guide Level 2 v2.13.