CMMC Specific Practices

The majority of the practices (110 of 171) originate from the safeguarding requirements and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012, respectively.

• Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21
• Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST SP 800-171 plus other practices

The remaining practices stem from multiple references as well as inputs from the DIB and DoD stakeholders. Due to various considerations, CMMC Levels 4-5 include only a subset of the enhanced security requirements from NIST SP 800-172 (formerly NIST SP 800-171B).