CMMC A to Z: Configuration, Identification, IR, Maintenance, and Protection

This post results from the project “AMSec” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). This project focuses on CMMC topics in the context of Additive Manufacturing

Two weeks ago we discussed the first four capability domains of the Department of Defense’s new CMMC Framework. Among them were: Access Control, Asset Management, Awareness/Training, and Auditing/Accountability. Today, we will be discussing five additional capability domains of the framework. It’s important to note that these capability domains are all crucial to maintaining a secure and compliant environment, as far as the U.S. Department of Defense is concerned. The purpose of these blog posts is not simply to list out these domains and what they require, but to help others better understand why the DoD is looking for these practices as well as how crucial they are to supply chain security.

CM – Configuration Management

Configuration Management goes hand in hand with Asset Management within every major step. In basic terms, CM revolves around a process for maintaining all major assets including both hardware and software. Everything you do within an organization when dealing with assets should be documented, and CM prevents you from making any major or minor changes without documenting it first. Keeping up with these minor changes allows you to avoid major issues down the road when it comes to large-scale repairs, major patching, dealing with end-of-life hardware, etc.

IA – Identification & Authentication

While Identification and Authentication are grouped in this domain, they are not synonymous. Identification is the act of “identifying” an individual, indicating their identity whereas authentication is the act of authenticating that the individual claiming such an identity is actually who they claim to be. For example, when logging into a secure system, that system asks for a login ID. This is the step of identification. When a password is entered, decrypted, and matched to a stored encrypted password, this is the action of authentication. It’s crucial to ensure that all secure systems are properly configured with such basic methods. Systems without passwords, non-expiring passwords, or default credentials create a whole ecosystem of potential security issues.

IR – Incident Response

Incident Response is one of the largest fields in Cybersecurity, so it’s only natural to dedicate an entire domain of the CMMC to it. “Incidents” typically consist of data breaches, cyberattacks, large-scaled malware infections, and similar occurrences. By responding to this incident, IR teams are ensuring that damage is limited both for the sake of confidential information being protected as well as keeping costs of such an incident down. Many non-IR individuals may not realize that publicity is also a huge part of incident response. Brand reputation is a huge part of any organization’s success in dealing with vendors and customers, and protecting that reputation is a direct responsibility of Incident Responders.

The SANS institute outlines six main steps for Incident Response that every organization should strive to follow:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

MA – Maintenance

Don’t think of this domain as simple helpdesk work when it comes to maintaining systems, it’s so much more than that. While Incident Response is a responsive measure, MA can be seen as a preventative measure. By being proactive and maintaining systems, services, software, and networks, you can lower the probability of a major incident that would require a large-scale incident response procedure.

One of the most important aspects of this domain is keeping systems up to date with the latest security updates and hotfixes, patching vulnerabilities as fast as possible. Many organizations should have a procedure outlined with specific deadlines for patching such vulnerabilities.

It’s also super important to stay focused on life cycle maintenance with all systems, not just the most major ones in use. Remember, we are only as strong as our weakest link, and it takes one EOL device that is no longer secure to put an entire organization at risk.

MP – Media Protection

Media protection is exactly what it sounds like, ensuring media is protected along every step of the supply and organizational process. This includes protecting media at rest, controlling access to media by authorized users, and ensuring that media is properly wiped and sanitized before disposal or redistribution.

This is especially important for CUI and any other confidential information that your organization may be dealing with. The CMMC outlines strict guidelines for wiping and protecting data at rest, especially the use of USB devices which, albeit discouraged, is permitted under the framework.

Throughout the coming weeks, we will cover the remaining 8 capabilities, including Physical Protection, Risk Management, and Security Assessments.

Follow us for more updates on this project!  For further questions about Munich Cyber Security Program, or this project please feel free to contact

Written By: Austin Grupposo ’23 // Digital Forensics & Cybersecurity

More Partners
The End: DFIR
Winding Down: CMMC Setbacks, MCSP Experience, and the Future
CMMC A to Z: Personnel, Physical Protection, and Recovery