For this guide, we’ll focus on the five highest-priority domains your organization must master for CMMC compliance. These domains tend to receive greater scrutiny during assessments because they carry the highest risk, covering how attackers get in, what they do, and how quickly you notice. For that reason, they are also the areas most responsible for failed assessments.
Access control
Access control (AC) limits who or what can enter the system and what they can do within it. In practice, it operates on the principle of least privilege (PoLP), meaning every user and device gets only the access it needs. Specific controls include unique user accounts, session timeouts, and multi-factor authentication (MFA). Stolen credentials are the top initial attack vector, accounting for 22% of breaches. AC guards against credential abuse and insider threats and limits lateral movement in the event of an intrusion.
Incident response
Incident response (IR) covers how an organization prepares for and reacts to security events. Required controls include an IR plan, defined responsibilities, and procedures for detection, containment, eradication, and recovery. For CMMC compliance, it’s not enough to just have an IR plan; organizations have to regularly test and document these procedures.
Assessors will look for evidence such as incident logs, dated IR plans, and training records showing staff rehearsed their roles. During a breach, a quick, organized response is critical. Breaches that are contained within 200 days cost an average of $1.14 million less than those with a longer dwell time.
Audit and accountability
Audit and accountability (AU) controls include enabling detailed logging of user actions, system events, and security events, and then regularly reviewing those logs. A SIEM (security information and event management) system often centralizes logs for analysis. Effective logging is essential for quickly assessing the scope of a breach, identifying who did what and when. CMMC requires specifying what events to log (logins, privileged actions, file accesses, etc.), how long to keep logs, and how often to review them. For assessors, logs are evidence that controls are in place and functioning.
Identification and authentication
Identification and authentication (IA) operate hand in hand with access control. While AC focuses on what a user or device is allowed to do, IA first verifies that you are who you claim to be. IA requires each user and device to have a unique identity and a method to verify it (passwords, tokens, biometrics). Controls include enforcing password complexity, rotating credentials, and implementing MFA. This domain ensures only known identities are granted system access. According to Microsoft, MFA can block 99.9% of account compromise.
CMMC requires documented procedures for issuing and revoking IDs and periodically reviewing accounts. For example, if an employee leaves, their accounts must be disabled immediately. Auditors will check user account lists and MFA logs to confirm policies are enforced.
System and communications protection
System and communications protection (SC) safeguards data and networks at the system boundary so that even if attackers gain a foothold, their ability to exfiltrate data or hop laterally is limited.
Controls include encryption, firewalls, network segmentation, secure protocols (e.g., TLS for email), and anti-malware. For example, CMMC may require encrypting all stored CUI (at rest) and configuring routers to drop unauthorized traffic. Proving these controls would include system configuration files showing enabled encryption (e.g., BitLocker status) and network diagrams with security zones.
