Deretti Cyber Labs CMMC Desk · Domains

The domains.

Fourteen families, one page each — once you know which one you need.

Level 2’s 110 security requirements sort into 14 families, defined by NIST SP 800-171 Revision 2. Each family gets its own page: what it protects, what the rule actually says, and where it tends to fail in an ordinary shop. This index is a way to find the family you need — it is not itself a framework, checklist, or crosswalk.

01About this grouping

The 14 rows below mirror NIST SP 800-171 Revision 2’s own structure — the same families the rule itself uses, in the same numbering. Grouping them here is a navigation aid, nothing more: it helps a reader with one specific question (“what does the access-control family actually require?”) find the right page without reading the whole desk in order. It is not a Cyber Labs framework, not a maturity model, and not a crosswalk to any other standard. Every family page traces back to the same primary source: the requirement text and assessment objectives, cited inline.

For what a specific level requires overall, see The Levels. For which assets are actually in scope before any of this applies, see Scope & Boundary.

02The fourteen families

Ordered by family code. All fourteen are published. Counts are Level 2 (NIST SP 800-171 Rev. 2) requirement totals and sum to 110. Each family page opens with an at-a-glance box — count, POA&M sensitivity, what evidence tends to look like — for fast comparison.

The 14 CMMC Level 2 security-requirement families, their codes, requirement counts, and what each covers
FamilyCode800-171 R2 §CountWhat it covers
Access Control AC 3.1 22 Who can touch CUI and how that’s enforced, including remote access. The largest family.
Awareness & Training AT 3.2 3 Security and insider-threat awareness. Small lift, often skipped.
Audit & Accountability AU 3.3 9 Logs that can answer questions later — retention and review, not collection for its own sake.
Security Assessment CA 3.12 4 The SSP lives here (3.12.4) — the document the rest of the program hangs on.
Configuration Management CM 3.4 9 Baselines, change control, and least functionality.
Identification & Authentication IA 3.5 11 Multifactor authentication (3.5.3) and replay resistance — the desk’s cross-link into Privacy & Identity.
Incident Response IR 3.6 3 Capability, reporting, and testing — adjacent to, but distinct from, DFARS 7012’s 72-hour reporting clock.
Maintenance MA 3.7 6 Maintenance tools, sanitization before off-site work, and nonlocal maintenance MFA.
Media Protection MP 3.8 9 Marking, sanitizing, and transporting media that carries CUI.
Physical Protection PE 3.10 6 Physical access, visitor logs, and alternate work sites.
Personnel Security PS 3.9 2 Screening, and revoking access at termination or transfer.
Risk Assessment RA 3.11 3 Risk assessment, vulnerability scanning, and remediation cadence.
System & Communications Protection SC 3.13 16 Boundary protection and FIPS-validated cryptography for CUI (3.13.11), with its own POA&M exception.
System & Information Integrity SI 3.14 7 Flaw remediation, malicious-code protection, and monitoring.

Family codes, section numbers, and counts: NIST SP 800-171 Rev. 2. 32 CFR 170.4 (“CMMC Level 2 security requirement”) ties these requirements to CMMC Level 2.