CMMC aims to improve information security across the defense industrial base (DIB) by establishing five maturity levels. Each level represents a gradual increase in cybersecurity practices an organization must implement. These practices are based on the well-regarded NIST SP 800-171 security controls.
Organizations are evaluated by independent assessors to determine their CMMC level. A higher level indicates a stronger cybersecurity posture and translates to a more competitive edge in DoD contracts. CMMC certification is not a one-time thing. Organizations must continuously improve their cybersecurity practices to maintain their certification level.
✦3.1 ACCESS CONTROL
NIST 800-171 control 3.1, emphasizes access control as a crucial cybersecurity measure. It mandates restricting access to authorized users, processes,...
✦3.2 AWARENESS AND TRAINING
NIST 800-171 control 3.2, helps organizations improve employee cybersecurity awareness and reduce security risks by training them on relevant policies...
✦3.3 AUDIT AND ACCOUNTABILITY
NIST 800-171 control 3.3, focuses on audit and accountability, aiming to track user actions and system activity. It mandates creating and keeping syst...
✦3.4 CONFIGURATION MANAGEMENT
NIST 800-171 control 3.4, focuses on establishing a systematic approach to understanding, controlling, and tracking changes made to IT systems. This i...
✦3.5 IDENTIFICATION AND AUTHENTICATION
NIST 800-171 control 3.5, focuses on securing access to systems by requiring identification and authentication of users, processes, and devices. This...
✦3.6 INCIDENT RESPONSE
NIST 800-171 control 3.6, requires organizations to have a plan for handling security incidents. This includes preparing for, detecting, analyzing, co...
✦3.7 MAINTENANCE
NIST 800-171 control 3.7, focuses on secure system maintenance practices. It mandates controls for all maintenance activities, including those perform...
✦3.8 MEDIA PROTECTION
NIST 800-171 control 3.8, outlines safeguards for information classified as Controlled Unclassified Information (CUI). These controls focus on securin...
✦3.9 PERSONNEL SECURITY
NIST 800-171 control 3.9, focuses on personnel security for protecting Controlled Unclassified Information (CUI). It mandates screening individuals be...
✦3.10 PHYSICAL PROTECTION
NIST 800-171 control 3.10, emphasizes physical safeguards for organizational systems and information. This includes restricting physical access to equ...
✦3.11 RISK ASSESSMENT
NIST 800-171 control 3.11, mandates regular risk assessments to safeguard Controlled Unclassified Information (CUI). This involves periodically evalua...
✦3.12 SECURITY ASSESSMENT
NIST 800-171 control 3.12, focuses on security assessment. It mandates organizations to regularly evaluate the effectiveness of implemented security c...
✦3.13 SYSTEM AND COMMUNICATIONS PROTECTION
NIST 800-171 control 3.13, safeguards information systems and communication channels by requiring organizations to monitor, control and protect them....
✦3.14 SYSTEM AND INFORMATION INTEGRITY
NIST 800-171 control 3.14, safeguards data from unauthorized modification and ensures its accuracy. It assigns responsibility for protecting data inte...
✦NIST Special Publication NIST SP 800-171r3
NIST 800-171r3, formally titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is a recently issued publica...
