Cybersecurity Maturity Model Certification (CMMC)

The wait is finally over for contractors and subcontractors!

Once the CMMC is fully rolled out, you will no longer have to worry about complicated instructions and unnecessary, overly-burdensome requirements. The time to start your assessment is now. Check out the requirements schedule your free consultation with Craig today!

CMMC v1.0 Content Overview

The document includes:

  • CMMC Model and Summary
  • Appendix A: CMMC Model v1.0
  • Appendix B: Process and Practice Descriptions
  • Appendix C: Glossary
  • Appendix D: Abbreviations and Acronyms
  • Appendix E: Source Mapping
  • Appendix F: References

It is made up of:

  • 17 Domains
  • 43 capabilities
  • 71 practices to measure technical capabilities
  • 5 processes to measure the 5 levels

The framework of the CMMC is rather simple; it encompasses multiple Domains. Within those Domains are:

  • Processes (spanning five levels)
  • Capabilities (also spanning five levels), which also include Practices across the five levels

Important Terms

Federal Contract Information (FCI): Information provided by or provided to the US Government that is under contract but is not intended for public release.

Controlled Unclassified Information (CUI): Information that needs to be secured but isn't "classified."

Advanced Persistent Threats (APTs): Threats from highly sophisticated cyber adversaries.


CMMCv1.0 Maturity Levels (ML)


  • Practice
    • "Basic Cyber Hygiene"
    • 17 Practices for basic safeguarding of FCI
  • Process
    • "Performed"
    • No actual processes
  • Only addresses practices from the FAR Clause 52.204-21.


  • Practice
    • "Intermediate Cyber Hygiene"
    • 72 practices meant to help transition from safeguarding FCI to protecting CUI
  • Processes
    • "Documented"
    • 2 processes


  • Practice
    • "Good Cyber Hygiene"
    • 130 practices to protect CUI
  • Processes:
    • "Managed"
    • 1 process for safeguarding CUI
  • Includes all 110 security controls from NIST 800-171
  • All contractors handling CUI will be required to be CMMC Level 3 certified.


  • Practice
    • "Proactive"
    • Includes 130 practices to protect CUI from Level 3 PLUS an additional 26 controls to not only protect CUI but to also reduce the risk of APTs
  • Processes:
    • "Reviewed"
    • Actively take corrective measures
  • Mostly sourced from NIST 800-171 RevB.


  • Practice
    • "Advanced/Proactive"
    • Includes the 130 practices to protect CUI from Level 3 PLUS the 26 controls from Level and and additinoal 15 practices to further reduce the risk of APTs
  • Processes:
    • "Optimizing"
    • Focus on protecting CUI from APTs
  • Mostly sourced from NIST 800-171 RevB.

CMMC References

The CMMC is the government's attempt at simplifying cyber security requirements for their contractors; it is essentially encompassing all of the following guidelines and requirements:

  • FAR Clause 52.204-21 b.1.i
  • NIST SP 800-171 Rev 1 3.1.1
  • CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11
  • NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
  • CERT RMM v1.2 TM:SG4:SP1
  • NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17
  • AU ACSC Essential Eight

Don't Lose Your Contract!

Here at Petronella Technology Group, we think of the CMMC as wonderful new guidance on cyber security for you and your business. Schedule a free consultation with Craig today to make sure you are on the right track to keeping all of your valuable government contracts!