Compliance crosswalk · CMMC 2.0
CMMC 2.0 (US DoD) - email + domain controls, mapped to Wiredepth
Framework version: Final rule effective December 2024; phased contract inclusion 2025-2028
Who this is for. Contractors + sub- contractors in the Defense Industrial Base (DIB) handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 establishes three certification levels:
- Level 1 (Foundational) - 17 basic safeguarding requirements from FAR 52.204-21. Annual self-assessment.
- Level 2 (Advanced) - 110 security requirements from NIST SP 800-171 Rev. 2. Third-party assessment by a C3PAO every 3 years for most contracts.
- Level 3 (Expert) - 110 from 800-171 plus ~24 from NIST SP 800-172. Government-led assessment.
Where email + domain controls fit. Multiple CMMC domains touch email: Access Control (AC), Audit and Accountability (AU), Identification and Authentication (IA), Incident Response (IR), System + Communications Protection (SC), and System + Information Integrity (SI). The control numbering below uses the NIST 800-171 reference CMMC adopts. Note: CMMC 2.0 dropped maturity processes from the v1 model; you no longer document process maturity separately - the controls themselves are the assessment scope.
Clause-by-clause mapping
Each row maps a specific CMMC 2.0requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
AC.L2-3.1.1 - Limit system access Authentication | Limit information system access to authorised users, processes, or devices. For email: domain-level sender authentication identifies the authorised sending entity. | DMARC + DKIM + SPF analysers cover the per-domain authentication controls. Scorecard PDF is the per-domain artefact for the system security plan (SSP). |
AU.L2-3.3.1 - Audit logging Monitoring | Create + retain system audit logs + records to the extent needed to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorised system activity. | Audit-log Merkle chain (see /docs/verify) provides tamper-evident audit records meeting CMMC 800-171 Rev. 2 audit-integrity expectations. The free public verifier lets a C3PAO validate without trusting the tool. |
AU.L2-3.3.8 - Protection of audit information Monitoring | Protect audit information + audit logging tools from unauthorised access, modification, and deletion. | The Merkle chain itself is the protection: any modification or deletion invalidates the chain head + breaks verification against the published anchor at /api/v1/audit/anchors. |
IA.L2-3.5.3 - Multi-factor authentication Authentication | Use multi-factor authentication for local and network access to privileged accounts + for network access to non-privileged accounts. | Email-auth posture (DMARC at p=reject) is the channel-security foundation MFA-via-email loops depend on. Alert on regression catches when the foundation moves out from under MFA. |
IR.L2-3.6.1 - Incident handling Reporting | Establish an operational incident-handling capability that includes adequate preparation, detection, analysis, containment, recovery, and user-response activities. | Incident-readiness workpaper documents the response plan in the format a C3PAO assessor expects to see filed for IR.L2-3.6.1. Hosted DMARC report inbox provides the detection signal. |
IR.L2-3.6.2 - Incident reporting Reporting | Track, document, and report incidents to designated officials and authorities, both internal and external to the organisation. DoD cyber incident reporting via DIBNet within 72 hours per DFARS 252.204-7012. | Webhook + SIEM forwarding routes Wiredepth detections to the SOC pipeline that initiates DIBNet reporting. Audit-log Merkle chain provides the tamper-evident timeline. |
SC.L2-3.13.8 - Transmission confidentiality Transport | Implement cryptographic mechanisms to prevent unauthorised disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | TLS analyser scores per-domain transport encryption. MTA-STS analyser confirms enforcement on receiving servers. CUI-handling domains need TLS 1.2 minimum (per CNSSP-12); the algorithm-detection layer flags deprecated suites. |
SC.L2-3.13.11 - FIPS-validated cryptography Transport | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | TLS analyser reports negotiated cipher suites; defenders verify the suite is FIPS-validated for CUI-handling domains. Per-port testing catches non-FIPS suites silently negotiated on submission ports. |
SI.L2-3.14.6 - Monitoring inbound + outbound traffic Monitoring | Monitor organisational systems including inbound + outbound communications traffic to detect attacks + indicators of potential attacks. | Hosted DMARC report inbox catches authentication-failure spikes on inbound mail. Continuous outbound posture monitoring + threat-intel layer cover the outbound side. |
CMMC Level 3 - NIST 800-172 enhancements Monitoring | Level 3 adds ~24 enhanced controls from NIST SP 800-172 targeting advanced persistent threat resistance. Several touch email + the broader cyber-threat-intelligence surface. | Threat-intel layer + brand watchlist + leak-site monitoring cover the APT-resistance signals NIST 800-172 enhancements target. Higher-tier Wiredepth subscriptions (Power User + MSP) provide the surface area Level 3 contractors typically need. |
What auditors actually look at
A C3PAO assessor reviewing the email + domain surface for Level 2 would typically request:
- The system security plan (SSP) entries for AC.L2-3.1.1, AU.L2-3.3.1, AU.L2-3.3.8, IA.L2-3.5.3, IR.L2-3.6.1, SC.L2-3.13.8, SC.L2-3.13.11, SI.L2-3.14.6
- POA&M (Plan of Action and Milestones) entries for any not-yet-met controls
- Per-domain DMARC + TLS posture sampled across the assessment window
- Service-provider register for authorised email senders + the DFARS flowdown evidence
- Incident records + DIBNet submission history (where applicable)
Generate a CMMC 2.0-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a CMMC 2.0 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.