CMMC – Model Framework

Researchers working in a lab with Controlled Unclassified Information image

The CMMC model framework organizes processes and cybersecurity best practices into a set of 17 capability domains and 5 levels of maturity in practices and processes.

Table 1 if from the CMMC version 1.02, dated March 18, 2020, which summarizes how the CMMC practices build on each maturity level.

The CMMC combines cybersecurity standards and best practices from multiple sources and references:

  • CMMC Level 1 is the minimum maturity level (Basic Cyber Hygiene) for protecting Federal Contract Information (FCI) and addresses practices from Federal Acquisition Regulations (FAR) 52.204-21.
  • CMMC Level 3 (Good Cyber Hygiene), the minimum maturity level for protecting CUI, includes the 110 security requirements specified in National Institute of Standards and Technology Special Publication NIST SP 800-171 .
  • CMMC Levels 4 and 5 include additional technical practices derived from multiple sources such as NIST SP 800-171 plus others and are intended to provide enhanced security to critical technologies and acquisition programs.
  • The certification assessment will be performed by the CMMC Third-Party Assessor Organization ( C3PAO ) and will result in a Cybersecurity Maturity Model Certification (CMMC). The CMMC Accreditation Body is authorized by the US Department of Defense to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community, or other communities that may adopt the CMMC.

Back to CMMC at WUSTL and Security of Controlled Unclassified Information (CUI) in Sponsored Research