ControlMap

CMMC Level 2

The Cybersecurity Maturity Model Certification (CMMC) Level 2 aligns with NIST SP 800-171 and is required for Department of Defense contractors handling Controlled Unclassified Information (CUI). It includes 110 practices across 14 domains covering access control, audit, configuration management, and incident response.

94%
Coverage
46
Controls Covered
3
Gaps
49
Total Controls

Covered Controls

Controls that have explicit mappings to CMMC requirements.

Govern (4 controls)

Gp Governance Policy
CA.L2-3.12.1, CA.L2-3.12.4
 Rm Risk Management
RM.L2-3.11.1, RM.L2-3.11.2
 Rr Roles & Responsibilities
PS.L2-3.9.2
 Cm Compliance
CA.L2-3.12.1

Identify (5 controls)

Am Asset Management
CM.L2-3.4.1, CM.L2-3.4.2
 Ra Risk Assessment
RM.L2-3.11.1, RA.L2-3.11.2
 Da Data Classification
MP.L2-3.8.1, MP.L2-3.8.2
 Vn Vulnerability Mgmt
RA.L2-3.11.2, SI.L2-3.14.1
 Ti Threat Intelligence
RA.L2-3.11.3

Protect (21 controls)

Aw Awareness & Training
AT.L2-3.2.1, AT.L2-3.2.2
 Ac Access Control
AC.L2-3.1.1, AC.L2-3.1.2
 Mf Multi-Factor Auth
IA.L2-3.5.3
 En Encryption
SC.L2-3.13.8, SC.L2-3.13.11
 Dp Data Protection
MP.L2-3.8.1, SC.L2-3.13.16
 Bk Backup & Recovery
RE.L2-3.8.9
 Pa Privileged Access
AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.7
 Fw Firewall / Net Seg
SC.L2-3.13.1, SC.L2-3.13.5, SC.L2-3.13.6
 Ep Endpoint Protection
SI.L2-3.14.2, SI.L2-3.14.4
 Pm Patch Management
SI.L2-3.14.1
 Cf Secure Config
CM.L2-3.4.1, CM.L2-3.4.2, CM.L2-3.4.6
 Sd Secure Development
SA.L2-3.16.1, SA.L2-3.16.2
 Ml Email Security
SI.L2-3.14.5
 Ws Web Security
SC.L2-3.13.1
 Zt Zero Trust
AC.L2-3.1.1, SC.L2-3.13.1
 Mb Mobile Security
AC.L2-3.1.18, AC.L2-3.1.19
 Cl Cloud Security
SC.L2-3.13.1, AC.L2-3.1.1
 Ds DNS Security
SC.L2-3.13.1
 Wf WAF
SC.L2-3.13.1
 Dl DLP
MP.L2-3.8.3, SC.L2-3.13.16
 Ap API Security
SC.L2-3.13.1, SA.L2-3.16.1

Detect (6 controls)

Sm Cont. Monitoring
SI.L2-3.14.6, SI.L2-3.14.7
 Lg Logging & Audit
AU.L2-3.3.1, AU.L2-3.3.2
 Id Intrusion Detection
SI.L2-3.14.6
 An Anomaly Detection
SI.L2-3.14.6, SI.L2-3.14.7
 Sg SIEM / SOC
AU.L2-3.3.1, SI.L2-3.14.6
 It Insider Threat
AC.L2-3.1.1, AU.L2-3.3.1, PS.L2-3.9.2

Respond (5 controls)

Ir Incident Response
IR.L2-3.6.1, IR.L2-3.6.2
 Fn Forensics
IR.L2-3.6.1
 Co Communication
IR.L2-3.6.2
 Mt Mitigation
IR.L2-3.6.1
 Rp Reporting
IR.L2-3.6.2, IR.L2-3.6.3

Recover (5 controls)

Rc Recovery Planning
RE.L2-3.8.9
 Bc Business Continuity
RE.L2-3.8.9
 Ll Lessons Learned
IR.L2-3.6.3
 Cr Comms & Restore
IR.L2-3.6.2
 Dr Disaster Recovery
RE.L2-3.8.9

Not Covered by CMMC (3 controls)

These controls are tracked by ControlMap but do not have explicit CMMC mappings. Organizations relying on CMMC should consider supplementing with additional frameworks to address these gaps.

Sc Supply Chain Risk
Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR
 Be Business Environment
Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR
 Vr Vendor Risk Mgmt
Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR

CMMC vs Other Frameworks

CMMC provides 94% coverage of the 49 cybersecurity controls tracked by ControlMap. NIST CSF 2.0 covers 100%, ISO 27001 covers 100%, CIS v8 covers 90%, SOC 2 covers 100%, PCI DSS covers 100%, 800-53 covers 100%, HIPAA covers 94%, GDPR covers 96%. For maximum coverage, organizations often combine CMMC with complementary frameworks to address gaps in areas like supply chain risk, business environment, vendor risk mgmt.

Other Frameworks

NIST CSF 2.0 ISO 27001 CIS v8 SOC 2 PCI DSS 800-53 HIPAA GDPR
View CMMC in Interactive Dashboard