To assist suppliers in enhancing their cyber security protections, the DIB SCC Industry Task Force is identifying and posting links to helpful publicly available cybersecurity resources. The resources were selected both to help companies (i) meet DoD and other U.S. cybersecurity standards applicable to U.S. federal contractors (e.g., FAR Basic Safeguarding clause, DFARS Safeguarding CDI clause, CMMC); and (ii) otherwise improve their current cybersecurity protections.
Below you will find CMMC practices grouped by level and by domain. Each practice contains helpful publicly available cybersecurity resources and clarifaction from CMMC Model v1.02 Appendix B. Additionally a table of the 61 CMMC specific practices that do not originate from FAR Clause 52.204-21 or DFARS Clause 252.204-7012. is provided for convenience.
If you are looking for further information about CMMC, visit our additional resources page for links to:
- Official Websites
- Information & Resources
CMMC Specific Practices
The majority of the practices (110 of 171) originate from the safeguarding requirements and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012, respectively.
- Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21
- Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST SP 800-171 plus other practices
The remaining practices stem from multiple references as well as inputs from the DIB and DoD stakeholders. Due to various considerations, CMMC Levels 4-5 include only a subset of the enhanced security requirements from Draft NIST SP 800-171B.