Defining the 17 NIST 800-171 Domains
The Cybersecurity Maturity Model Certification (CMMC) framework defines essential safety practices required to keep sensitive information safe, particularly for businesses that have contracts with the Department of Defense (DoD).
Such contracts require contracting companies to attain one of three levels of cybersecurity depending on the type of information the company is to handle.
For Basic or Level 1 cybersecurity, companies need only to handle FCI or Federal Contract Information. For Advanced or Level 2, companies need to be able to handle CUI or Controlled Unclassified Information. Expert or Level 3 has stricter requirements and will be based on NIST SP 800-172 requirements.
We’ve covered these requirements in the past and the changes between CMMC 1.0 and the new 2.0 standard. What we will discuss today are the CMMC’s 17 cybersecurity domains. These domains outline specific practices governing different aspects of cybersecurity.
1. Access Control (AC)
Beginning with physical security, Access Control, or AC, governs security measures meant to defend real-world access points. The building in which your company operates needs to have physical barriers to prevent unauthorized access or breaches in security. Such security measures include:
- Locked doors
- Camera monitoring systems
Preventing thieves or hackers from being able to walk to areas in your building that could give them unfettered access to computers or documents is the first step in securing your sensitive information.
Every employee in your company needs to have access to the specific areas necessary to do their job, and no more. Giving every employee the same login information that gives them free rein to reach every part of your network leads to too many individuals having access to the entirety of your data.
If a hacker managed to steal the credentials of a single employee or an employee became disgruntled and wanted to sell secret information to the highest bidder, nothing would stop them from having complete freedom to do so. If you operate on role-based access control (RBAC) principles, you will make your data more secure.
Companies need to issue access credentials, such as keycards to unlock particular rooms and the ability to log into isolated, secure computers, based on job requirements.
Administrator accounts, which allow greater levels of access, need to be in the hands of a few key staff. These are the core principles of “least privilege” and “zero trust.” Using identity and access management (IAM) systems and privileged access management (PAM) protects sensitive information.
Access Control (AC) in CMMC covers the following areas:
- C001: Establish requirements for system access
- C002: Closely monitor and limit internal system access
- C003: Closely monitor and limit remote system access
- C004: Allow data access to only authorized users and processes
2. Asset Management (AM)
Every company needs assets to function. Assets are things, both tangible and intangible, that are necessary to perform business. Assets include:
- Proprietary information
- Raw materials
- Contacts and vendors
Along with these assets comes the need to protect them. Asset management, or AM, covers the methodology by which these assets are protected.
Every asset represents a possible entry point for thieves, scammers, and hackers. Since many companies operate regionally, nationally, and even globally, these assets can be spread out over a large area, increasing the company’s risk.
You might think that objects such as vehicles or raw materials would be safe from a hacker since they aren’t networks or computers waiting to be hacked. Any asset a company has can become leverage for a hacker.
For example, if a ransomware attack shut down a company’s computers that controlled a pipeline for fuel, the company would no longer be able to control the fuel flow and would not have access to it. Hackers can’t hack the fuel itself, but the computers that control it can be breached.
Document all assets. Note their location, use, access policies, and operational life, and keep this information in an asset register. The register should also document the possible risk posed by each asset and how they are being protected. You must keep this register up to date at all times.
Computers may be the most sensitive assets since they can contain all of a company’s data, such as trade secrets or the personal information of employees and customers.
To defend these assets, each computer and its parts/software must be tracked and cataloged. Once the computers have reached their operational life expectancy, they must be disposed of by a reputable shredding firm that can provide a certificate of asset destruction.
Asset Management (AM) in CMMC covers the following areas:
- C005: Identify all assets and document them
- C006: Manage the inventory of assets
3. Audit and Accountability (AU)
Being able to track user logins is essential. This approach doesn’t mean monitoring employees in a manner akin to spying, simply that your IT infrastructure needs to be set up in a way to monitor who logs into sensitive areas and when.
Audit and Accountability, or AU, involves audit logging to create oversight of your network. You can ensure that essential data is still secure by tracking user logins, data transfers, and communication records.
Your audit logging needs to be an automatic process. Having the logs generated automatically removes the possibility of user error or sabotage. Should you experience a cyberattack, these logs create a forensic trail to find out the source of infection or where the security compromise happened.
Audit and Accountability tracks:
- Communication gateways (routers and switches)
- IT system logs
- Production tools
- Equipment use
Many organizations hire a Security Operations Center (SOC) or managed IT service to oversee data security. These organizations can track the origin of cyber attacks to their source by checking against a database of known threats.
They can then isolate appropriate portions of the network to prevent the spread of viruses, Trojans, ransomware, and other nefarious hacker tools. These organizations can also set up the automatic generation of your audit logs.
Audit and Accountability (AU) in CMMC covers the following areas:
- C007: Define the audit requirements
- C008: Perform the auditing
- C009: Identify/protect all audit information
- C010: Review, then manage audit logs
4. Awareness and Training (AT)
Much of what we might think of as “hacking” is more akin to social engineering. Scammers have become adept at gleaning information from employees by pretending to be colleagues, vendors, friends, or family. They can use techniques such as:
- Business email compromise (BEC)
- Calling and asking for information
- Leaving virus-ridden thumb drives in strategic locations
- Setting up fake websites with links that download viruses
As hackers and scammers get more sophisticated with their techniques, companies need to be equally vigilant and creative in training employees to be on their guard.
All employees need to be trained to watch for cyber threats, not just high-level staff. Anyone who has access to the company in any way, from vendors to custodial staff, should be able to spot potential threats.
Employees should not open strange emails or download suspicious attachments. Passwords and usernames should never be shared. Keycards must remain in possession of designated employees at all times.
Sensitive and personal information should not be written down where someone can see it, such as taped to a computer monitor.
An organization’s finance department can come under attack with more vigor than other departments. Because your accounting and bookkeeping staff are responsible for financial records for the company and its customers, they are especially susceptible to scams asking for information or requesting money transfers.
Your company needs to engage in regular training sessions with employees to ensure they understand and look for threats. New employees should be briefed whenever they come on board the company. Everyone at every level, from receptionists to the CEO, needs to demonstrate an understanding of cybersecurity and its associated risks.
Awareness and Training (AT) in CMMC covers the following areas:
- C011: Conduct regular security awareness activities
- C012: Engage in training sessions
5. Configuration Management (CM)
Companies can have workstations, networks, and servers with a wide variety of hardware, software, and operating systems. This variety isn’t necessarily a problem and is quite normal since different employees and departments have different requirements.
However, this can pose a security risk. Even if a company employs such varied technology, using internal resources or with a managed IT service provider, the different components must all be protected through regular updates and patches.
Obsolete or unsupported software can create an entryway for hackers. Many companies keep legacy software and hardware because upgrading is expensive, and the employees can get used to certain interfaces.
Once the manufacturer no longer supports and updates the software or hardware, hackers can exploit known weaknesses to create an opportunity for themselves and gain access to your system.
Your organization must work to establish as much consistency across its tech infrastructure as possible. You must keep all antivirus software up to date. Patches need to be applied as soon as they become available.
Old software with vulnerabilities needs to be updated to the latest versions. Creating a baseline for all computers and workstations needs to be part of a solid Configuration Management plan or CM.
Good CM also relies on employees doing their part in aiding with the standardization across devices. Suppose that you don’t have managed IT services. In that case, employees will have to keep their systems updated themselves.
Even if you have managed IT services, ensuring that employees don’t change computer settings or install unauthorized software is essential.
Configuration Management (CM) in CMMC covers the following areas:
- C013: Establish the baselines of your configuration
- C014: Enact the configuration and change the management
6. Identification and Authentication (IA)
Your IT infrastructure isn’t an intelligent being, but it still has to be able to recognize people. Specifically, it has to be able to authenticate users.
Of course, the system needs to also be able to funnel the appropriate users to the right locations within the network. Every part of your infrastructure needs to be able to limit access to only the correct people:
It may seem like a hindrance to productivity, but each access point needs restricted access and must require logins to enter.
There are many different ways to authenticate users, and the more personal, the better. Simple username and password logins aren’t enough to provide strict security in many cases.
While two-factor authentication is a great starting point, some companies may need to go further with biometric scanning, such as fingerprints or retinal scans.
Proper IA paired with AU means not only is logging in a secure process for the employee but also that the employee’s access is cataloged. This trail is useful, especially when biometric screening all but eliminates the excuse of stolen credentials in case of a breach.
The more individual the security, the less likely there will be some manner of insider sabotage.
Identification and Authentication (IA) in CMMC covers the following area:
- C015: Allowing access for authenticated users
7. Incident Response (IR)
How will your company respond to a cyber attack? Your organization needs to prepare for the eventuality that a threat actor will attempt to cause your company harm by accessing, stealing, or encrypting sensitive data.
Creating a detailed Incident Response (IR) plan gives you an outline to follow to properly respond in the event of such an attack.
Your IR plan should cover:
- Data loss
- Service outages
- Data corruption
- Ransomware encryption
- DDoS attacks
- Password/Username compromise
When you’ve prepared for all of the possible attacks, you should test your plan to ensure it’s effective. Regular tests will confirm whether you’ve prepared your IT infrastructure well.
As always, document everything. The more you document, the more you can ensure your methodology is effective. This documentation is especially handy if your company is more likely to have a high turnover.
High turnover isn’t necessarily the sign of a sick company, many businesses have seasonal work, and such turnover is expected. It does create a larger security risk because those workers aren’t as familiar with your organization’s operations. Documenting how to respond in case of an emergency protects your business.
Incident Response (IR) in CMMC covers the following area:
- C016: Plan your incident response
- C017: Scan for, find, and report all events
- C018: When incidents occur, create and enact responses
- C019: Conduct reviews after incidents
- C020: Test your incident response
8. Maintenance (MA)
No system is perfect, and even the best designed IT infrastructure and network will need maintenance. Maintenance (MA) needs to be a structured operation rather than something that’s done absentmindedly. Regular maintenance items that should be in your plan are:
- Identifying inappropriate processes running on company hardware
- Updating and patching programs and operating systems
- Replacing parts with known life expectancies before failure
- Upgrading obsolete equipment and software
- Checking the speed of computers to see they need optimization
- Monitoring the environment of computers
Maintenance is about more than just the machines themselves; you’ll need to factor in the environment that your computers live in, too. Smoking around computers is terrible for them; cigarette and cigar smoke can seep into the computer and gum up vital components such as cooling fans.
High atmospheric humidity can also create havoc by shorting components and destroying sensitive electronics over time.
Your employees will need to pay attention to any notifications from software manufacturers about updating their programs to the latest version. Even with managed IT services, it’s best to have employees paying attention as they use their workstations because they may be the first to see a notification.
Maintenance (MA) in CMMC covers the following area:
- C021: Managing maintenance
9. Media Protection (MP)
The type of media your organization will be expected to handle as per your DoD contract will determine which level of CMMC certification you need to achieve. As mentioned earlier, FCI handling only requires a Basic Level of cybersecurity. If you plan on handling CUI, then you’ll need to achieve Level 2, Advanced, or Level 3, Expert.
The exact kind of data you need to protect varies, but it could be:
- Personnel records
- Financial records
Any data that could be used to hack personal accounts or gain access to company secrets needs protection. Whether physical or digital, you must have a plan for keeping data out of the hands of hackers.
Each piece of information must be marked and tracked, secured for its entire lifespan. This protection can be done with AC measures such as safes, locked rooms, firewalls on servers, computers that aren’t connected to a network, and other such measures.
Transporting media is an opportunity for theft. Whether this is delivering a thumb drive, a CD, or some other form of physical media, the object in question must be properly monitored and safeguarded. From creation to the ultimate destruction of the data and its storage medium, there can’t be a time when it is out of the organization’s control.
Companies can’t hand a flash drive to an employee and hope the drive makes it to its final destination; there must be protocols in place for ensuring the media’s delivery and tracking the delivery progress.
Media Protection (MP) in CMMC covers the following areas:
- C022: Identify media and mark it for tracking
- C023: Safeguard and defend the media
- C024: Sanitize the media
- C025: Safeguard the media during transport
10. Personnel Security (PS)
No company can operate without employees, but while employees represent an asset that companies need, they are also a great threat. Insider leaks and spying are massive problems for companies with valuable data.
Businesses wishing to obtain contracts with the DoD will need to have stringent screening policies for hiring employees. Contractors need to take into account the following when hiring new staff:
- Criminal record
- Legal compliance
If an employee hasn’t been properly screened, they represent a possible threat to the organization and depending on the nature of the contract, a threat to national security.
Even the best screening methods are not 100% effective, of course. As such, employees who have access to particularly sensitive information will need to be monitored so that they are not hindered in their work yet and do not have a reasonable opportunity for stealing data.
If, after hiring or firing an employee, a competitor reveals an identical product to your own design, it could be indicative of data theft. Unfortunately, without monitoring protocols in place and with ineffective screening techniques, it may be impossible to prove in a court of law that theft has taken place.
Personnel Security, or PS, is an essential part of the security chain. People aren’t machines, however, and divining a candidate’s intentions isn’t always possible. But by doing your due diligence, you can save your company future data breaches by enacting strict screening protocols.
Personnel Security (PS) in CMMC covers the following areas:
- C026: Screen your personnel
- C027: Protect sensitive data in all personnel actions
11. Physical Protection (PE)
While Physical Protection, or PE, seems like it might be identical to Access Control (AC), PE is more concerned with protecting equipment and documents from damage, whether from natural disasters or intentional sabotage. Damage that can occur to your IT infrastructure includes:
- Extreme temperature
- Blunt force
- Bypassing security systems
- Power surges
Because your network, mainframe, workstations, and other technology are reliant on many outside factors (electricity, internet access, etc.), safeguards need to be in place to prevent attacks from shutting down your infrastructure.
Backup generators and even multiple internet connections, including wireless connections, can keep your company operating while defending your data.
Rooms in which your servers or workstations sit should be temperature and humidity-controlled. Electronics work best in moisture-free environments.
Your data protection measures should include fire and heat resistant materials and containers as much as possible and should be water-resistant in case of flooding or in the event a fire must be suppressed.
Where PE goes hand in hand with AC is in securing rooms with appropriate locks. Your locks must be protected, too, of course, and shouldn’t be easily destroyed or hackable. Sometimes the most important function of a lock will be slowing down a thief and signaling to authorities that a theft is in progress. No lock is 100% impenetrable.
Physical Protection (PE) in CMMC covers the following area:
- C028: Place limits on physical access
12. Recovery (RE)
Disasters will happen, but the severity of the damage they cause can be dramatically reduced by careful planning. Backing up data is an essential part of Recovery, or RE, in cybersecurity.
Your business needs to have a recovery plan in case of a disaster. This plan means having access to your backups, having replacement computers and computer parts, and maintaining access to your necessary assets. Planning ahead in this way keeps downtime to a minimum.
In the event your business can’t restore power, or your building is too damaged, you need to have a plan for an alternate work location. This location should have all of the tools you need to continue your operation.
Because much of a recovery plan may rely on having an alternate location to continue work, you will need to factor in security for your data there, as well. All locations need to have the same level of effective safeguards.
If you’re reliant on subcontractors to continue working, communicate often about what both organizations need in order to keep up production.
Suppose one location isn’t updating software or hardware as often as the other, and suddenly they’re relied upon to provide backup computers. In that case, it can mean lost hours in optimizing and updating workstations rather than creating products or working on other aspects of the contract.
Recovery (RE) in CMMC covers the following areas:
- C029: Establish and manage your backups
- C030: Maintain information security
13. Risk Management (RM)
Your company will need to prioritize risk. This Risk Management, or RE, allows you to focus resources on the most likely sources of cyberattacks. Businesses need to make a profit to operate, and if a safety measure has little risk but takes up large amounts of capital to initiate, it may not be worth the cost.
Of course, if necessary cybersecurity measures are beyond the capabilities of an organization, it might not be possible for them to win a DoD contract in the first place.
Developing a plan of action and milestones (POAM) outlines necessary steps in order of importance and when these steps will be enacted. As your company defines the risk of each part of their contract, so too can you determine your risk level and potential return on investment (ROI) of the necessary safety measures.
Portions of the CMMC allow POAMs to demonstrate that security measures that are not yet in place are being planned, but any future additions to your cybersecurity plan outlined in the POAM need to have a date attached.
The DoD wants to see that your plans for strengthening your cybersecurity infrastructure are concrete and that the plan will meet the milestones accordingly.
Risk Management (RM) in CMMC covers the following areas:
- C031: Find risk factors, evaluate them
- C032: Manage your risk
- C033: Manage risk along the supply chain
14. Security Assessment (CA)
You can’t improve what you don’t measure. Performing a Security Assessment or CA shines a light on the current security measures of your company. In determining your cyber risk profile, you need to:
- Find possible risks
- Identify current security measures
- Analyze current security
- Develop a systems security plan (SSP)
Your SSP is a document that outlines your company-wide security, its effectiveness, and methodology regarding monitoring and oversight. The SSP also needs to include the company’s roles regarding security, including management, reporting, and implementation.
There will also have to be documentation in the SSP regarding sources for system hardware, software, and other components related to security.
Any purchases and additions to your IT infrastructure will need to be evaluated against your security needs. Software that has security concerns or hardware that is easily hacked cannot be added to your network.
With detailed system information to check against in your SSP, no unsecured equipment or programs should be able to slip into your company.
As always, test your security measures and your SSP. Weaknesses need to be rooted out and documented. This documentation comes in especially handy when new recruits join the team. If they’re unaware that a security measure has been tested and failed, they may attempt to implement it themselves.
Security Assessment (CA) in CMMC covers the following areas:
- C034: Create and maintain your system security plan
- C035: Establish and manage all controls
- C036: Do code reviews
15. Situational Awareness (SA)
Having an understanding of the state of cybersecurity around the world is crucial. This Situational Awareness, or SA, keeps companies abreast of the latest happenings regarding hacking attempts and scams, and should inform cybersecurity policy.
Pay attention to vendor information regarding security weaknesses in hardware and software. Analyze news for new hacking techniques and methods to defend against them.
If your company does not stay up to date with the latest security trends and news, it can cause problems when a cyber threat shows up. If your antivirus software is out of date, for example, it can miss a potentially disastrous piece of ransomware or malware.
What’s worse, these viruses can affect hardware, as well. Computers can be “bricked” or rendered useless through software alone. Machines that are computer-controlled can damage themselves irreparably.
Maintain lists of threatening code that can take down your company’s IT infrastructure. Update them constantly to stay ahead of threats. You can subscribe to commercial threat reports for such news. As always, document everything.
Situational Awareness (SA) in CMMC covers the following area:
- C037: Use threat monitoring, and keep it up to date
16. Systems Communication Protection (SC)
Data flow can be interrupted by many causes, but it takes planning and foresight to prevent it from stopping or resume it quickly. Systems Communication Protection, or SC, requires a business to have a firm understanding of how each of its tools communicates with each other.
Technology has allowed for more connections than ever, which also gives hackers more avenues for working their way into your system. To provide proper security, you will need to maintain connections while also being concerned about:
- Network and code security
- Data loss prevention
- Access management
Every access point between two pieces of technology is a potential source for a cyber attack.
Firewalls, passwords, and biometric protection maintain security. Identify all points where data flows and restrict access to essential personnel only. If you rely on cloud services, they need to have the utmost protection lest they be accessed on unsecured workstations or networks.
Your company should have strict rules about connecting personal devices, such as phones, tablets, or laptops, to company computers or networks. These devices can act as entryways for hackers to take control of your system. You can also install detection software to ensure no personal devices are plugged into a work computer.
System Communications Protection (SC) in CMMC covers the following areas:
- C038: Outline security needs for systems and communications
- C039: Set system boundaries and control communications through them
17. System Information Integrity (SI)
Think of System Information Integrity, or SI, as the comprehensive range of your security measures keeping your company’s data safe:
- No software is left unpatched
- No hardware with security weaknesses in place
- Up to date anti-virus software running
- SPAM filters operating
- Monitoring of all systems
- Reacting to security alerts
- Assessing threats
- Adhering to all security laws regarding information handling
Your cybersecurity infrastructure is like a chain where the weakest link can cause a complete collapse. Every link must be as strong as it can be.
Analyze your infrastructure. Root out weaknesses to ensure a consistent wall of protection around your data. As weak points are found, address them and document the changes. Guaranteeing information integrity is what will allow your company to maintain its contract with the DoD. If your data is compromised, so is your contract.
System Information Integrity (SI) in CMMC covers the following areas:
- C040: Find all information system flaws and correct them
- C041: Root out malicious content
- C042: Enact network and system monitoring protocols
- C043: Install and use advanced email protection
CMMC Policies and Procedures
Having analyzed the 17 domains of the CMMC, let’s discuss the cybersecurity policies and procedures your business will need to have in place.
The rules for cybersecurity in CMMC are based on NIST SP 800-171 security measures, and all businesses holding contracts with the DoD need to have some level of compliance. If your business will be required to reach CMMC Level 2, Advanced, or 3, Expert, you will need to set guidelines regarding:
- Access Control: Identifying authorized users for data access
- Awareness and Training: Ensure staff is properly educated on data handling
- Audit and Accountability: Track authorized and unauthorized access
- Configuration Management: Document network safety protocols
- Configuration Planning: Carefully plan the building of the network
- Incident Response: Outline steps for handling a security breach
- Identification and Authentication: Establish how users are verified
- Information Flow Control: Set boundaries for how data is shared
- Information Flow Enforcement: Establish methods to keep shared data safe
- Information System Maintenance: Create routines for maintaining the system
- Media Protection: Set parameters for how and where media is stored
- Media Sanitization and Disposal: Set rules for how old data is destroyed
- Mobile Code Implementation: Protect mobile devices that access data
- Password: Create and enforce rules and timelines for changing passwords
- Personnel Security: Set screening rules for new recruits
- Physical and Environmental Protection: Protect the storage methods for data
- Portable Media: Set rules for how and when it can be used or transported
- Risk Assessment: Test defenses regularly
- Security Assessment and Authorization: Document processes, improvements
- Security Awareness and Training: Educate staff on fighting cyberthreats
- Security Planning: Seek, identify, and address weak points
- Separation of Duties: Don’t give any one person too much access
- System and Information Integrity: Defend data with a balanced strategy
- System and Services Acquisition: Allocate resources for cybersecurity
- System and Communication Protection: Monitor and control access points
- System Use: Limit system use to authorized personnel only
When your business is on the receiving end of a CMMC audit, you will need to prove your cyber health in all of these areas. Create a standard operating procedure document with timelines of implementation for processes and security patch downloads, employee training and refreshing, emergency procedures, and so forth.
Constant testing is essential. Establish parameters with your IT provider to ensure that testing does not interrupt workflow. Your servers and workstations may need security testing regularly, but you should do this during downtime. Setting rules and documenting plans are how businesses maintain good cyber health.
Implementing Cyber Security Measures
The average timeline for implementing the security protocols outlined in NIST SP 800-171 can be anywhere from 6 to 8 months. These implementations will require a cost in employee hours, paying for new services, software, and hardware, and paying for CMMC certification:
- Level 1 or Basic certification can cost a business as little as $1,000
- Level 2 or Advanced certification can cost nearly $20,000
- Level 3 or Expert certification can cost almost $500,000
The DoD is not mandating full CMMC compliance until 2026, although it established that date under CMMC 1.0. With the new CMMC 2.0 guidelines, that date may change in the future.
CMMC third-party assessment organizations (C3PAOs) can be relatively expensive, with much of the cost of these certification levels coming from the number of billable hours.
If your business is only seeking Level 1 certification, you won’t need an assessment. If you’re planning on achieving Level 2 or 3 certification, keep in mind that C3PAOs will want to see all of your documentation. The more organized it is, the better. This documentation will be how the C3PAO determines how long their assessment will take.
Establishing Your Company’s Cyber Security
Remember that even though the CMMC certification is technically not required yet, the DoD wants all businesses to demonstrate that they are taking the security of FCI and CUI seriously. The requirement date is years in the future because it gives companies time to begin compliance efforts immediately.
Government contracts can provide lucrative long-term sales, and competition for them is fierce. Companies that are lax in their implementation, whether through poor security measures or delaying their adoption, put themselves at a disadvantage.
Begin assessing your company’s cyber health as soon as possible. Some of these measures are inexpensive or even free to implement. Training employees on how to identify potential scams or hacking attempts takes relatively little time.
SPAM blockers and anti-virus software are inexpensive. Updating security patches should be routine anyway. Not all security measures are costly endeavors, and they make your business more secure whether you land a DoD contract or not.