← Frameworks / CMMC 2.0 / Control Mappings

Cybersecurity Maturity Model Certification 2.0 Level 2

US Department of Defense cybersecurity certification framework for the defense industrial base. Level 2 aligns to NIST SP 800-171 Rev 2 (110 security requirements) across 14 domains: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Required for contractors handling Controlled Unclassified Information (CUI). Third-party assessment (C3PAO) mandatory.

Controls: 184
Total Mappings: 194
Publisher: U.S. Department of Defense (DoD) Version: 2.0 (2021)
CMMC 2.0 → SP 800-53 SP 800-53 → CMMC 2.0 Coverage Analysis
AC (22) AT (6) AU (15) CA (9) CM (14) CP (1) IA (12) IR (9) MA (7) MP (8) PE (18) PL (3) PM (7) PS (9) RA (10) SA (2) SC (20) SI (12)

AC Access Control

Control Name CMMC 2.0 References
AC-01 Access Control Policies and Procedures
AC
AC-02 Account Management
AC
AC-03 Access Enforcement
AC
AC-04 Information Flow Enforcement
AC
AC-05 Separation Of Duties
AC
AC-06 Least Privilege
AC
AC-07 Unsuccessful Login Attempts
AC
AC-08 System Use Notification
AC
AC-09 Previous Logon Notification
AC
AC-10 Concurrent Session Control
AC
AC-11 Session Lock
AC
AC-12 Session Termination
AC
AC-13 Supervision And Review -- Access Control
AC
AC-14 Permitted Actions Without Identification Or Authentication
AC
AC-16 Automated Labeling
AC
AC-17 Remote Access
AC
AC-18 Wireless Access Restrictions
AC
AC-19 Access Control For Portable And Mobile Devices
AC
AC-20 Use Of External Information Systems
AC
AC-21 Information Sharing
AC
AC-22 Publicly Accessible Content
AC
AC-24 Access Control Decisions
AC

AT Awareness and Training

Control Name CMMC 2.0 References
AT-01 Security Awareness And Training Policy And Procedures
AT
AT-02 Security Awareness
AT
AT-03 Security Training
AT
AT-04 Security Training Records
AT
AT-05 Contacts With Security Groups And Associations
AT
AT-06 Training Feedback
AT

AU Audit and Accountability

Control Name CMMC 2.0 References
AU-01 Audit And Accountability Policy And Procedures
AU
AU-02 Auditable Events
AU
AU-03 Content Of Audit Records
AU
AU-04 Audit Storage Capacity
AU
AU-05 Response To Audit Processing Failures
AU
AU-06 Audit Monitoring, Analysis, And Reporting
AU
AU-07 Audit Reduction And Report Generation
AU
AU-08 Time Stamps
AU
AU-09 Protection Of Audit Information
AU
AU-10 Non-Repudiation
AU
AU-11 Audit Record Retention
AU
AU-12 Audit Record Generation
AU
AU-13 Monitoring for Information Disclosure
AU
AU-14 Session Audit
AU
AU-16 Cross-Organizational Audit Logging
AU

CA Security Assessment and Authorization

Control Name CMMC 2.0 References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
CA
CA-02 Security Assessments
CARA
CA-03 Information System Connections
CA
CA-04 Security Certification
CA
CA-05 Plan Of Action And Milestones
CA
CA-06 Security Accreditation
CA
CA-07 Continuous Monitoring
CA
CA-08 Penetration Testing
CARA
CA-09 Internal System Connections
CA

CM Configuration Management

Control Name CMMC 2.0 References
CM-01 Configuration Management Policy And Procedures
CM
CM-02 Baseline Configuration
CM
CM-03 Configuration Change Control
CM
CM-04 Monitoring Configuration Changes
CM
CM-05 Access Restrictions For Change
CM
CM-06 Configuration Settings
CM
CM-07 Least Functionality
CM
CM-08 Information System Component Inventory
CM
CM-09 Configuration Management Plan
CM
CM-10 Software Usage Restrictions
CM
CM-11 User-Installed Software
CM
CM-12 Information Location
CM
CM-13 Data Action Mapping
CM
CM-14 Signed Components
CM

CP Contingency Planning

Control Name CMMC 2.0 References
CP-09 Information System Backup
MP

IA Identification and Authentication

Control Name CMMC 2.0 References
IA-01 Identification And Authentication Policy And Procedures
IA
IA-02 User Identification And Authentication
ACIA
IA-03 Device Identification And Authentication
IA
IA-04 Identifier Management
ACIA
IA-05 Authenticator Management
ACIA
IA-06 Authenticator Feedback
IA
IA-07 Cryptographic Module Authentication
IA
IA-08 Identification and Authentication (Non-Organizational Users)
IA
IA-09 Service Identification and Authentication
IA
IA-10 Adaptive Authentication
IA
IA-11 Re-authentication
IA
IA-12 Identity Proofing
IA

IR Incident Response

Control Name CMMC 2.0 References
IR-01 Incident Response Policy And Procedures
IR
IR-02 Incident Response Training
IR
IR-03 Incident Response Testing And Exercises
IR
IR-04 Incident Handling
IR
IR-05 Incident Monitoring
IR
IR-06 Incident Reporting
IR
IR-07 Incident Response Assistance
IR
IR-08 Incident Response Plan
IR
IR-09 Information Spillage Response
IR

MA Maintenance

Control Name CMMC 2.0 References
MA-01 System Maintenance Policy And Procedures
MA
MA-02 Controlled Maintenance
MA
MA-03 Maintenance Tools
MA
MA-04 Remote Maintenance
MA
MA-05 Maintenance Personnel
MA
MA-06 Timely Maintenance
MA
MA-07 Field Maintenance
MA

MP Media Protection

Control Name CMMC 2.0 References
MP-01 Media Protection Policy And Procedures
MP
MP-02 Media Access
MP
MP-03 Media Labeling
MP
MP-04 Media Storage
MP
MP-05 Media Transport
MP
MP-06 Media Sanitization And Disposal
MP
MP-07 Media Use
MP
MP-08 Media Downgrading
MP

PE Physical and Environmental Protection

Control Name CMMC 2.0 References
PE-01 Physical And Environmental Protection Policy And Procedures
PE
PE-02 Physical Access Authorizations
PE
PE-03 Physical Access Control
PE
PE-04 Access Control For Transmission Medium
PE
PE-05 Access Control For Display Medium
PE
PE-06 Monitoring Physical Access
PE
PE-07 Visitor Control
PE
PE-08 Access Records
PE
PE-09 Power Equipment And Power Cabling
PE
PE-10 Emergency Shutoff
PE
PE-11 Emergency Power
PE
PE-12 Emergency Lighting
PE
PE-13 Fire Protection
PE
PE-14 Temperature And Humidity Controls
PE
PE-15 Water Damage Protection
PE
PE-16 Delivery And Removal
PE
PE-17 Alternate Work Site
PE
PE-18 Location Of Information System Components
PE

PL Planning

Control Name CMMC 2.0 References
PL-01 Security Planning Policy And Procedures
CA
PL-02 System Security Plan
CA
PL-04 Rules Of Behavior
AT

PM Program Management

Control Name CMMC 2.0 References
PM-06 Measures of Performance
CA
PM-09 Risk Management Strategy
RA
PM-10 Authorization Process
CA
PM-12 Insider Threat Program
IR
PM-13 Security and Privacy Workforce
AT
PM-14 Testing, Training, and Monitoring
ATCA
PM-28 Risk Framing
RA

PS Personnel Security

Control Name CMMC 2.0 References
PS-01 Personnel Security Policy And Procedures
PS
PS-02 Position Categorization
PS
PS-03 Personnel Screening
PS
PS-04 Personnel Termination
PS
PS-05 Personnel Transfer
PS
PS-06 Access Agreements
PS
PS-07 Third-Party Personnel Security
PS
PS-08 Personnel Sanctions
PS
PS-09 Position Descriptions
PS

RA Risk Assessment

Control Name CMMC 2.0 References
RA-01 Risk Assessment Policy And Procedures
RA
RA-02 Security Categorization
RA
RA-03 Risk Assessment
RA
RA-04 Risk Assessment Update
RA
RA-05 Vulnerability Scanning
RASI
RA-06 Technical Surveillance Countermeasures Survey
RA
RA-07 Risk Response
RA
RA-08 Privacy Impact Assessments
RA
RA-09 Criticality Analysis
RA
RA-10 Threat Hunting
RA

SA System and Services Acquisition

Control Name CMMC 2.0 References
SA-08 Security Engineering Principles
SC
SA-10 Developer Configuration Management
CM

SC System and Communications Protection

Control Name CMMC 2.0 References
SC-01 System And Communications Protection Policy And Procedures
SC
SC-02 Application Partitioning
SC
SC-03 Security Function Isolation
SC
SC-04 Information Remnance
SC
SC-05 Denial Of Service Protection
SC
SC-07 Boundary Protection
SC
SC-08 Transmission Integrity
SC
SC-10 Network Disconnect
SC
SC-11 Trusted Path
SC
SC-12 Cryptographic Key Establishment And Management
SC
SC-13 Use Of Cryptography
SC
SC-15 Collaborative Computing
SC
SC-17 Public Key Infrastructure Certificates
SC
SC-18 Mobile Code
SC
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
SC
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
SC
SC-22 Architecture And Provisioning For Name / Address Resolution Service
SC
SC-23 Session Authenticity
SC
SC-28 Protection of Information at Rest
MPSC
SC-39 Process Isolation
SC

SI System and Information Integrity

Control Name CMMC 2.0 References
SI-01 System And Information Integrity Policy And Procedures
SI
SI-02 Flaw Remediation
SI
SI-03 Malicious Code Protection
SI
SI-04 Information System Monitoring Tools And Techniques
AUSI
SI-05 Security Alerts And Advisories
IRSI
SI-06 Security Functionality Verification
SI
SI-07 Software And Information Integrity
SI
SI-08 Spam Protection
SI
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
SI
SI-11 Error Handling
SI
SI-12 Information Output Handling And Retention
SI
SI-16 Memory Protection
SI