CMMC – Model Framework

Researchers working in a lab with Controlled Unclassified Information image

The CMMC model framework organizes processes and cybersecurity best practices into a set of 17 capability domains and 5 levels of maturity in practices and processes.

Table 1 if from the CMMC version 1.02, dated March 18, 2020, which summarizes how the CMMC practices build on each maturity level.

The CMMC combines cybersecurity standards and best practices from multiple sources and references:

  • CMMC Level 1 is the minimum maturity level (Basic Cyber Hygiene) for protecting Federal Contract Information (FCI) and addresses practices from Federal Acquisition Regulations (FAR) 52.204-21.
  • CMMC Level 3 (Good Cyber Hygiene), the minimum maturity level for protecting CUI, includes the 110 security requirements specified in National Institute of Standards and Technology Special Publication NIST SP 800-171 .
  • CMMC Levels 4 and 5 include additional technical practices derived from multiple sources such as NIST SP 800-171 plus others and are intended to provide enhanced security to critical technologies and acquisition programs.
  • The certification assessment will be performed by the CMMC Third-Party Assessor Organization ( C3PAO ) and will result in a Cybersecurity Maturity Model Certification (CMMC). The CMMC Accreditation Body is authorized by the US Department of Defense to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community, or other communities that may adopt the CMMC.

Back to CMMC at WUSTL and Security of Controlled Unclassified Information (CUI) in Sponsored Research

Showing: All results

CMMC – How do I know if it is required?

CMMC is required for your project activity if (1) you are handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and…

CMMC – Model Framework

The Cybersecurity Maturity Model Certification (CMMC) framework organizes processes and cybersecurity best practices into a set of 17 capability domains…

CMMC – What information is protected?

CMMC is primarily designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)…

CMMC – What is it?

The Cybersecurity Maturity Model Certification (CMMC) is a program of unified standards and frameworks of cybersecurity best practices and controls …

CMMC – Why was it created?

The theft of intellectual property and sensitive information due to malicious cyber activity threatens economic security and national security…

CUI – Does my RFP/RFI involve CUI?

The below steps are designed to assist you in determining if a RFP/RFI will require safeguards to protect…

CUI – Training and Resources

All faculty and staff who may come into contact with CUI data in their course of performing their job duties are required to take training. The training required depends upon your job, and the nature of your interaction with CUI data here at the university.

CUI – What is it?

Controlled Unclassified Information (CUI) is a category of unclassified data that federal agencies create or possess, government, which is required…


Answers to frequently asked questions about the WUSTL-SEn environment for CUI data at Washington University in St. Louis.