On January 30, 2020 the Office of the Under Secretary of Defense for Acquisition & Sustainment released CMMC v1 and it includes the CMMC Model v1.0 Overview, Process, Practice Descriptions and Clarifications, Glossary, Abbreviations and Acronyms, Source Mapping and References.
Latest Update
CMMC Model v1.02 Release
The Department of Defense is updating the documentation for CMMC Model v1.0 to correct administrative errors identified since January 31, 2020. The itemized list of corrected errata, as well as a more accessible version of the model (i.e. tabular format in Excel), are provided with the release of CMMC Model v1.02. The Department has made no substantive nor critical changes to the model relative to v1.0. CMMC Model
CMMC v1.0 Model Overview
CMMC is a unified cybersecurity standard for future DoD acquisitions and encompasses the following:
- 17 capability domains; 43 capabilities
- 5 processes across five levels to measure process maturity
- 171 practices across five levels to measure technical capabilities
| CMMC Level | Practices | Processes |
|---|---|---|
| Level 1 | 17 | – |
| Level 2 | 55 | 2 |
| Level 3 | 58 | 1 |
| Level 4 | 26 | 1 |
| Level 5 | 15 | 1 |
Download the full CMMC Model (pdf)
CMMC v1 Model Framework
CMMC model framework organizes processes and cybersecurity best practices
into a set of domains:
- Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that:
- An organization will continue to perform the activity – including under times of stress – and
- The outcomes will be consistent, repeatable and of high quality.
- Practices are activities performed at each level for the domain
CMMC Model Structure in v1.0
17 Capability Domains for v1.0
- Asset Management (AM)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- System and Information
- Integrity (SI)
- System and Communications Protection (SC)
- Situational Awareness (SA)
- Security Assessment (CA)
- Physical Protection (PE)
- Risk Management (RM)
- Recovery (RE)
CMMC 5 levels measure cybersecurity maturity
| CMMC Level | Processes | Processes |
|---|---|---|
| Level 1 | Performed | Advanced Progressive |
| Level 2 | Documented | Proactive |
| Level 3 | Managed | Good Cyber Hygiene |
| Level 4 | Reviewed | Intermediate Cyber Hygiene |
| Level 5 | Optimizing | Basic Cyber Hygiene |
CMMC Level 1 : Performed
0 PROCESSES: Select practices are documented where required
CMMC Level 2 : Documented
2 PROCESSES:
- Each practice is documented, including Level 1 practices
- A policy exists that includes all activities
CMMC Level 3 : Managed
3 PROCESSES
- Each practice is documented, including lower levels
- A policy exists that cover all activities
- A plan exists, is maintained, and resourced that includes all activities (Planning activities may include mission, goals, project plan, resourcing, training needed, and involvement of relevant stakeholders
CMMC Level 4 : Reviewed
4 PROCESSES
- Each practice is documented, including lower levels
- A policy exists that covers all activities
- A plan exists that includes all activities
- Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management)
CMMC Level 5 : Optimizing
- Each practice is documented, including lower levels
- A policy exists that covers all activities
- A plan exists that includes all activities
- Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management)
- There is a standardized, documented approach across all applicable organizational units
CMMC v1.0 Practice Progression
CMMC Level 1 : Basic Cyber Hygiene
17 PRACTICES
- Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21
CMMC Level 2 : Intermediate Cyber Hygiene
72 PRACTICES
- Comply with the FAR
- Includes a select subset of 48 practices from the NIST SP 800- 171 r1
- Includes an additional 7 practices to support intermediate cyber hygiene
CMMC Level 3 : Good Cyber Hygiene
130 PRACTICES
- Comply with the FAR
- Encompasses all practices from NIST SP 800-171 r1
- Includes an additional 20 practices to support good cyber hygiene
CMMC Level 4 : Proactive
156 PRACTICES
- Comply with the FAR
- Encompasses all practices from NIST SP 800-171 r1
- Includes a select subset of 11 practices from Draft NIST SP 800-171B
- Includes an additional 15 practices to demonstrate a proactive cybersecurity program
CMMC Level 5 : Advanced Progressive
171 PRACTICES
- Comply with the FAR
- Encompasses all practices from NIST SP 800-171 r1
- Includes a select subset of 11 practices from Draft NIST SP 800-171B
- Includes an additional 11 practices to demonstrate an advanced cybersecurity program
CMMC Model v1.0 Source Counts
Model leverages multiple sources and references
- CMMC Level 1 only addresses practices from FAR Clause 52.204-21
- CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others
- CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others
- Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model
Number of Practices per Source
| CMMC Level | Total no of Practices | ||||
|---|---|---|---|---|---|
| 48 CFR 52.204-21 | NIST SP 800-171r1 | Draft NIST SP 800-171B ** | Other | ||
| Level 1 | 17 | 15* | 17* | – | – |
| Level 2 | 55 | – | 48 | – | 7 |
| Level 3 | 58 | – | 45 | – | 13 |
| Level 4 | 26 | – | – | 11 | 15 |
| Level 5 | 15 | – | – | 4 | 11 |
- 15 safeguarding requirements from FAR clause 52.204-21 correspond to 17 security requirements from NIST SP 800-171r1, and in turn, 17 practices in CMMC
- 18 enhanced security requirements from Draft NIST SP 800-171B have been excluded from CMMC Model v1.0
CMMC v1 Model Appendixes
Appendix A provides the model in tabular form with all practices organized by Domain (DO), Capability, and Level (L)
- Practices are numbered as DO.L.###, with a unique number ###
- Each practice includes up to nine sources
Appendix A also includes maturity level processes
- Processes are generalized but apply to all domains
- Processes are numbered as ML.L.99#
Appendix B Process and Practice Descriptions include:
- Discussion, derived from source material where available
- Clarification with examples
- A list of references
Same framework as model
- Processes are generalized but apply to all domains
- Practices are ordered by domain and level
Appendix E Source Mapping summarizes the list of sources for all five processes and 171
practices. Sources include:
- FAR Clause 52.204-21
- NIST SP 800-171 Rev 1
- Draft NIST SP 800-171B
- CIS Controls v7.1
- NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
- CERT Resilience Management Model (CERT RMM) v1.2
- NIST SP 800-53 Rev 4
- Others such as CMMC, UK NCSC Cyber Essentials, or AU ACSC Essential Eight
Download the Appendices of CMMC Model v1.0
More info: https://www.acq.osd.mil/cmmc/draft.html