The full CMMC controls list can be found on the DoD website, but they’re best understood by grouping them into 14 domains:

• Access control (AC)

• Identification and authentication (IA)

• Media protection (MP)

• Physical protection (PE)

• System and communications protection (SC)

• System and information integrity (SI)

• Audit and accountability (AU)

• Incident response (IR)

• Configuration management (CM)

• Risk assessment (RA)

• Security assessment (CA)

• Personnel security (PS)

• Situational awareness (SA)

• Recovery (RE)

CMMC Level 1 controls consist of 17 practices derived from FAR 52.204-21 (foundational safeguards for FCI). CMMC Level 2 controls align with the 110 safeguards outlined in NIST SP 800-171 Rev. 2 and are organized into the 14 domains above. CMMC Level 3 controls build on Level 2 with a DoD‑defined subset of enhanced requirements derived from NIST SP 800-172, assessed by the government, and used within the same 14‑domain structure.

Since the great majority of DIB contracts carry Level 2 requirements for handling CUI, we’ll focus on those controls. For a deeper dive into compliance levels, check out CMMC 2.0 Compliance Levels Explained.

For this guide, we’ll focus on the five highest-priority domains your organization must master for CMMC compliance. These domains tend to receive greater scrutiny during assessments because they carry the highest risk, covering how attackers get in, what they do, and how quickly you notice. For that reason, they are also the areas most responsible for failed assessments.

Access control

Access control (AC) limits who or what can enter the system and what they can do within it. In practice, it operates on the principle of least privilege (PoLP), meaning every user and device gets only the access it needs. Specific controls include unique user accounts, session timeouts, and multi-factor authentication (MFA). Stolen credentials are the top initial attack vector, accounting for 22% of breaches. AC guards against credential abuse and insider threats and limits lateral movement in the event of an intrusion.

Incident response

Incident response (IR) covers how an organization prepares for and reacts to security events. Required controls include an IR plan, defined responsibilities, and procedures for detection, containment, eradication, and recovery. For CMMC compliance, it’s not enough to just have an IR plan; organizations have to regularly test and document these procedures. 

Assessors will look for evidence such as incident logs, dated IR plans, and training records showing staff rehearsed their roles. During a breach, a quick, organized response is critical. Breaches that are contained within 200 days cost an average of $1.14 million less than those with a longer dwell time.

Audit and accountability

Audit and accountability (AU) controls include enabling detailed logging of user actions, system events, and security events, and then regularly reviewing those logs. A SIEM (security information and event management) system often centralizes logs for analysis.  Effective logging is essential for quickly assessing the scope of a breach, identifying who did what and when. CMMC requires specifying what events to log (logins, privileged actions, file accesses, etc.), how long to keep logs, and how often to review them. For assessors, logs are evidence that controls are in place and functioning.

Identification and authentication

Identification and authentication (IA) operate hand in hand with access control. While AC focuses on what a user or device is allowed to do, IA first verifies that you are who you claim to be. IA requires each user and device to have a unique identity and a method to verify it (passwords, tokens, biometrics). Controls include enforcing password complexity, rotating credentials, and implementing MFA. This domain ensures only known identities are granted system access. According to Microsoft, MFA can block 99.9% of account compromise. 

CMMC requires documented procedures for issuing and revoking IDs and periodically reviewing accounts. For example, if an employee leaves, their accounts must be disabled immediately. Auditors will check user account lists and MFA logs to confirm policies are enforced.

System and communications protection

System and communications protection (SC) safeguards data and networks at the system boundary so that even if attackers gain a foothold, their ability to exfiltrate data or hop laterally is limited.

Controls include encryption, firewalls, network segmentation, secure protocols (e.g., TLS for email), and anti-malware. For example, CMMC may require encrypting all stored CUI (at rest) and configuring routers to drop unauthorized traffic. Proving these controls would include system configuration files showing enabled encryption (e.g., BitLocker status) and network diagrams with security zones.

CMMC assessments require proof of technical implementation and documented procedures. Every implemented control should be documented. This includes system security plans (showing how each control is met), IR plans, and audit logs. Assessors will interview staff, review policies and training, and inspect system settings and logs to confirm that policies match real-world controls. 

With 110 controls to implement and document, domain grouping simplifies compliance. Organizing, reporting, and evidence by domain align with how CMMC assessors structure reports, making it easier to notice if any documentation or controls are missing. If gaps are found, teams can prioritize remediation based on domain risk, for instance, strengthening IA to guard against breaches before other lower-risk controls. In many companies, roles naturally align with domains (e.g., the network team handles SC, security ops owns AU/IR, HR oversees personnel security). These clearly defined responsibilities simplify project management.

Huntress supports multiple CMMC domains, including access control, audit & accountability, incident response, and identification & authentication through integrated endpoint, log, and identity monitoring. Explore how Huntress can operationalize CMMC controls and help demonstrate compliance with assessor-ready documentation.