The 6 largest CMMC Level 3 Domains

While there are 17 CMMC domains, you might be wondering which domains have the most number of practices? Which might be the areas an assessor will spend most of his/her time during an assessment? In this video, we will explore the top 6 CMMC Level 3 domains based on the number of practices.

These 6 domains consist of 82 practices out of 130, which is about 63% of all CMMC Level 3 practices. The domains are: Access Control (AC), System & Communications Protection (SC), Audit & Accountability (AU), Identification & Authentication (IA), System & Information Integrity (SI), and Configuration Management (CM). I will quickly go over each of the 6 domains to explore its objectives as well as the capabilities it covers.

This under 7m video features Kyle Lai of KLC Consulting discussing the 6 largest CMMC Level 3 domains from the perspective of the number of practices each covers. Its information is based on CMMC model version 1.02.

Access Control (AC)

Access Control activities ensure that access granted to organizational systems and the information is accurate based on defined access requirements. These requirements are developed based on the organization’s needs, balanced with the security requirements needed to protect the organization’s assets. Access control domain contains 4 capabilities: 1. Establish system access requirements, 2. Control internal system access, 3. Control remote system access, and finally 4. Limit data access to authorized users and processes.

System & Communications Protection (SC)

System and communications protection activities ensure the organization is actively identifying, managing, and controlling all systems and the communication channels to store or transmit CUI. The system and communications protection domain consists of 2 capabilities: 1. Define security requirements for systems and communications and 2. Control communications at system boundaries.

Audit & Accountability (AU)

Audit & accountability is defined as a chronological record that reconstructs and examines the sequences of activities surrounding or leading up to a specific operation, procedure or event in a security relevant transaction; to ensure that the action of an entity may be traced uniquely back to that entity. The audit and accountability domain contains 4 capabilities: 1. Define audit requirements, 2. Perform auditing, 3. Identify and protect audit information, and lastly 4. Review and manage audit logs.

Identification & Authentication (IA)

Identification & authentication domain activities ensure identities who have access to CUI are established, managed and authenticated in accordance to the CUI protection requirements. The identification and authentication domain contains one capability: 1. Grant access to authenticated entities.

System & Information Integrity (SI)

System & information integrity activities ensure that technology assets, such as desktops or software that contains CUI, are continuously monitored to detect violations of the authorized security state. Additionally, email, which is a common attack vector, is monitored and protected to detect malicious activities. The system and information integrity domain contains 4 capabilities: 1. Identify and manage information system flaws, 2. Identify malicious content, 3. Perform network and system monitoring, and finally 4. Implement advanced email protections.

Configuration Management (CM)

Configuration management activities focus on defining the configuration and the change management processes. The configuration management domain consists of 2 capabilities: 1. Establish configuration baselines and 2. Perform configuration and change management. 

CMMC Level 3 seems to be a lot of work. While there are no shortcuts, we at KLC Consulting may be able to help you work smarter by simplifying processes. If we identify an opportunity to implement tools to improve efficiency, a way to write scripts to automate manual processes, or to outsource some parts of your security operations to reduce risks, we will make those recommendations to you. My name is Kyle Lai president and Chief Information Security Officer at KLC Consulting. If you have any questions or need any help on CMMC, please contact us at or visit us at We look forward to hearing from you. Thank you.

CMMC level 3 domains.  KLC Consulting is a cleared C3PAO candidate that provides flexible and affordable CMMC and NIST 800-171 consulting services

For more information about interim DFARS rules for CMMC Level 3, visit our blog post.

For a VERY convenient guide to help determine your CUI boundary visit our blog post here

Please visit our YouTube Channel for other free resources and cybersecurity discussion topics. LIKE and SUBSCRIBE!

And please visit us on LinkedIn.

Scroll to Top