Before you start: scope your CUI enclave

CMMC only applies to systems that process, store, or transmit CUI. Define your enclave first — what systems contain CUI, what networks carry it, who has access. A smaller, well-defended enclave is far easier to certify than a sprawling environment.

The 14 Domains

AC Access Control 22 practices
  • Limit system access to authorized users only
  • Enforce least privilege — users get only the access their job requires
  • Use non-privileged accounts for non-privileged functions (admins use standard accounts for email/browsing)
  • Employ MFA for all network access to privileged and non-privileged accounts
  • Route remote access via managed access control points
  • Protect wireless access with authentication and encryption
  • Encrypt CUI on mobile devices and mobile computing platforms
  • Verify and control all connections to external systems
  • Control CUI posted or processed on publicly accessible systems
Common gaps: Non-privileged users with admin rights, VPN not enforced for remote access, personal devices accessing CUI without MDM enrollment, split tunneling enabled.
AT Awareness & Training 3 practices
  • Ensure personnel are trained on security responsibilities
  • Provide insider threat awareness training
  • Train personnel on recognizing and reporting threats
Evidence needed: Completion records with dates and names, training content or curriculum, insider threat training distinct from general security awareness.
AU Audit & Accountability 9 practices
  • Create and retain audit logs enabling monitoring and investigation
  • Ensure individual user actions are traceable to those users
  • Alert on audit logging process failure
  • Protect audit information from unauthorized access, modification, and deletion
  • Synchronize system clocks across all systems
Common gaps: Logs not retained long enough (recommend 3 years), no centralized log aggregation, workstations not logging to a central system, no alerting on log failures.
CM Configuration Management 9 practices
  • Establish and maintain baseline configurations for all systems
  • Track, review, approve, and log changes to systems
  • Analyze security impact of changes prior to implementation
  • Employ least functionality — disable unused ports, protocols, services
  • Use allow-by-exception (whitelisting) or deny-by-exception (blacklisting) for software
  • Control and monitor user-installed software
Common gaps: No documented baselines, change management informal or undocumented, unnecessary services running, no software control enforcement.
IA Identification & Authentication 11 practices
  • Authenticate identities before allowing access to systems
  • Use MFA for local and network access to privileged accounts
  • Use MFA for network access to non-privileged accounts
  • Use replay-resistant authentication (OTP, PKI, challenge-response)
  • Employ minimum password complexity and change requirements
  • Prohibit password reuse for a specified number of generations
  • Store and transmit only cryptographically-protected passwords
Common gaps: MFA not enforced for all remote access, password reuse not technically blocked, service accounts with shared credentials, passwords stored in plain text or reversible encryption.
IR Incident Response 3 practices
  • Establish an operational incident-handling capability (preparation, detection, containment, recovery)
  • Track, document, and report incidents to appropriate authorities
  • Test the incident response capability
Evidence needed: Written IR plan, tabletop exercise record within past 12 months, documented incident tickets (even minor ones), process for reporting to DoD/US-CERT under DFARS 252.204-7012.
MP Media Protection 9 practices
  • Protect system media containing CUI (paper and digital)
  • Limit access to CUI on system media to authorized users
  • Sanitize or destroy media before disposal or reuse
  • Control the use of removable media on system components
  • Prohibit removable media without identifiable owner
  • Protect confidentiality of backup CUI at storage locations
  • Protect CUI during transport unless protected by alternative physical safeguards
Common gaps: USB drives allowed without controls, laptops lost without encryption enabled, backup media not encrypted, paper CUI not tracked or secured.
RA Risk Assessment 3 practices
  • Periodically assess risk to operations, assets, and individuals from CUI system operation
  • Scan for vulnerabilities periodically and when new vulnerabilities are identified
  • Remediate vulnerabilities in accordance with risk assessments
Common gaps: No formal risk assessment document, vulnerability scans not scheduled or not authenticated, scan results not tracked or remediated.
SA System & Communications Protection 16 practices
  • Monitor, control, and protect communications at external boundaries and key internal boundaries
  • Deny network traffic by default; allow by exception (deny-all, permit-by-exception)
  • Prevent split tunneling — remote devices may not simultaneously use non-remote connections
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
  • Employ FIPS-validated cryptography when used to protect CUI
  • Protect CUI at rest
  • Separate user functionality from system management functionality
Common gaps: CUI transmitted over unencrypted connections, FIPS-validated encryption not enforced (Windows not in FIPS mode, non-FIPS TLS ciphers), split tunneling enabled on VPN, CUI stored unencrypted on cloud storage.
SI System & Information Integrity 7 practices
  • Identify, report, and correct system flaws in a timely manner
  • Provide malware protection at appropriate locations
  • Update malicious code protection mechanisms
  • Perform periodic and real-time scans of files from external sources
  • Monitor systems to detect attacks and indicators of potential attacks
  • Identify unauthorized use of systems

Calculating Your SPRS Score

SPRS Score Formula

The Supplier Performance Risk System score is calculated from your self-assessment and must be uploaded before contract performance on any covered DoD contract.

Start at 110 → subtract points for each NOT MET practice
  • High-weighted practices (marked with * in NIST 800-171): subtract 5 points each when NOT MET
  • Standard practices: subtract 1 point each when NOT MET
  • Score can go negative — many contractors with significant gaps score below zero
  • PARTIAL counts as NOT MET for scoring purposes (but documents remediation progress)

False attestation of an inflated SPRS score creates False Claims Act liability. Self-assessments are subject to DoD audit.

Remaining Domains

The full 14 domains also include: MA (Maintenance) — controlled maintenance, remote maintenance requiring MFA, media sanitation; PE (Physical Protection) — physical access controls, visitor escort, access audit logs; PS (Personnel Security) — background screening, termination procedures; and CA (Assessment) — internal assessments, POA&M management for any NOT MET practices.

Related reading: How to write a FedRAMP System Security Plan that gets approved

From zero to SPRS submission in one week.

The Federal Compliance Pack's CMMC Assessment agent walks through all 14 domains, scores each practice, calculates your SPRS score, generates the DoD 7012 System Security Plan, and creates POA&M entries for every NOT MET practice. One MSP client went from zero to SPRS submission in 7 days.

Get Federal Compliance Pack — $199/mo → Read more posts