The CMMC model measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats. The model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community. The model encompasses the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21 and the security requirements for CUI specified in NIST SP 800-171 per DFARS Clause 252.204-7012.
To assist suppliers in enhancing their cyber security protections, the DIB SCC Industry Task Force is identifying and posting links to helpful publicly available cybersecurity resources. The resources were selected both to help companies (i) meet DoD and other U.S. cybersecurity standards applicable to U.S. federal contractors (e.g., FAR Basic Safeguarding clause, DFARS Safeguarding CDI clause, CMMC); and (ii) otherwise improve their current cybersecurity protections.
Below you will find CMMC practices grouped by level and by domain. Each practice contains helpful publicly available cybersecurity resources and clarification from CMMC Model v1.02 Appendix B. Additionally a table of the 61 CMMC specific practices that do not originate from FAR Clause 52.204-21 or DFARS Clause 252.204-7012. is provided for convenience.
The CMMC model measures cybersecurity maturity with five levels. Each of these levels, in turn, consists of a set of processes and practices. The processes range from ‘Performed’ at Level 1 to ‘Optimizing’ at Level 5 and the practices range from ‘Basic Cyber Hygiene’ at Level 1 to ‘Advanced/Progressive’ at Level 5. The CMMC levels and the associated sets of processes and practices across domains are cumulative. More specifically, in order for an organization to achieve a specific CMMC level it must also demonstrate achievement of the preceding lower levels.
The CMMC model consists of 17 domains. The majority of these domains originate from the security-related areas in Federal Information Processing Standards (FIPS) Publication 200 and the related security requirement families from NIST SP 800-171. The CMMC model also includes the three domains of Asset Management (AM), Recovery (RE), and Situational Awareness (SA).
CMMC Specific Practices
The majority of the practices (110 of 171) originate from the safeguarding requirements and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012, respectively.
- Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21
- Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST SP 800-171 plus other practices
The remaining practices stem from multiple references as well as inputs from the DIB and DoD stakeholders. Due to various considerations, CMMC Levels 4-5 include only a subset of the enhanced security requirements from NIST SP 800-172 (formerly NIST SP 800-171B).
CMMC Process Maturity
Process Maturity represents an organization’s commitment and consistency to performing their processes. Measuring Process Maturity determines how well practices are defined, executed, and managed. A higher level of Process Maturity contributes to more stable processes that produce consistent and expected results over time. Mature processes are retained during times of stress – enabling an organization to better prevent and respond to a cyberattack.