CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
REQUIREMENTS FOR CERTIFICATION
NUMBER OF TOTAL PRACTICES IN EACH DOMAIN THAT AN ORGANIZATION SHOULD COMPLY WITH, FOR EACH LEVEL.
The numbers are progressively cumulative. If an organization needs to comply with Level 2, for instance, they need to comply with all Level 1 requirements and all Level 2 requirements. Similarly, an organization seeking Level 3 certification will need to comply with all Level 1, Level 2 and Level 3 practices or requirements. Therefore, to comply with Level 5 requirements, an organization will need to comply with all Level 1, 2, 3 4 and 5 practices.
All DIB contractors will need to achieve Level 1 certification, and any contractors that deal with CUI information will need a Level 3 certification or higher.
L1 → Level 1 L2 → Level 2 L3 → Level 3 L4 → Level 4 L5 → Level 5
The number against each - L1, L2, L3, L4 or L5 - is the number of practices for that level within that domain
CLICK ON ANY OF THE LEVELS BELOW TO SEE THE DOMAIN AND PRACTICE REQUIREMENTS FOR THAT LEVEL
-
Level 1
Performed
Basic Cyber Hygiene
17 Practices
-
Level 2
Documented
Intermediate Cyber Hygiene
72 Practices
-
Level 3
Managed
Good Cyber Hygiene
130 Practices
-
Level 4
Reviewed
Proactive
156 Practices
-
Level 5
Optimizing
Advanced / Progressive
171 Practices
Basic Safeguarding of *FCI Transition step to protect **CUI Increasing protection of **CUI Reducing risk of ***APTs
AC – ACCESS CONTROL
Total: 4 Practices
| L1 – 4 | L2 - 10 |
| L3 – 8 | L4 – 3 |
| L5 – 1 | |
AM – ASSET MANAGEMENT
Total: 0 Practices
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 1 |
| L5 – 0 | |
AU – AUDIT AND ACCOUNTABILITY
Total: 0 Practices
| L1 – 0 | L2 - 4 |
| L3 – 7 | L4 – 2 |
| L5 – 1 | |
AT – AWARENESS AND TRAINING
Total: 0 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
CM – CONFIGURATION MANAGEMENT
Total: 0 Practices
| L1 – 0 | L2 - 6 |
| L3 – 3 | L4 – 1 |
| L5 – 1 | |
IA – IDENTIFICATION AND AUTHENTICATION
Total: 2 Practices
| L1 – 2 | L2 - 5 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
IR – INCIDENT RESPONSE
Total: 0 Practices
| L1 – 0 | L2 - 5 |
| L3 – 2 | L4 – 2 |
| L5 – 4 | |
MA – MAINTENANCE
Total: 0 Practices
| L1 – 0 | L2 - 4 |
| L3 – 2 | L4 – 0 |
| L5 – 0 | |
MP – MEDIA PROTECTION
Total: 1 Practice
| L1 – 1 | L2 - 3 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
PS – PERSONNEL SECURITY
Total: 0 Practices
| L1 – 0 | L2 - 2 |
| L3 – 0 | L4 – 0 |
| L5 – 0 | |
PE- PHYSICAL PROTECTION
Total: 4 Practices
| L1 – 4 | L2 - 1 |
| L3 – 1 | L4 – 0 |
| L5 – 0 | |
RE - RECOVERY
Total: 0 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 0 |
| L5 – 1 | |
RM – RISK MANAGEMENT
Total: 0 Practices
| L1 – 0 | L2 - 3 |
| L3 – 3 | L4 – 4 |
| L5 – 2 | |
CA – SECURITY ASSESSMENT
Total: 0 Practices
| L1 – 0 | L2 - 3 |
| L3 – 2 | L4 – 3 |
| L5 – 0 | |
SA – SITUATIONAL AWARENESS
Total: 0 Practices
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
SC – SYSTEM AND COMMUNICATIONS PROTECTION
Total: 2 Practices
| L1 – 2 | L2 - 2 |
| L3 – 15 | L4 – 5 |
| L5 – 3 | |
SI – SYSTEM AND INFORMATION INTEGRITY
Total: 4 Practices
| L1 – 4 | L2 - 3 |
| L3 – 3 | L4 – 1 |
| L5 – 2 | |
AC – ACCESS CONTROL
Total: 14 Practices
| L1 – 4 | L2 - 10 |
| L3 – 8 | L4 – 3 |
| L5 – 1 | |
AM – ASSET MANAGEMENT
Total: 0 Practices
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 1 |
| L5 – 0 | |
AU – AUDIT AND ACCOUNTABILITY
Total: 4 Practices
| L1 – 0 | L2 - 4 |
| L3 – 7 | L4 – 2 |
| L5 – 1 | |
AT – AWARENESS AND TRAINING
Total: 2 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
CM – CONFIGURATION MANAGEMENT
Total: 6 Practices
| L1 – 0 | L2 - 6 |
| L3 – 3 | L4 – 1 |
| L5 – 1 | |
IA – IDENTIFICATION AND AUTHENTICATION
Total: 7 Practices
| L1 – 2 | L2 - 5 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
IR – INCIDENT RESPONSE
Total: 5 Practices
| L1 – 0 | L2 - 5 |
| L3 – 2 | L4 – 2 |
| L5 – 4 | |
MA – MAINTENANCE
Total: 4 Practices
| L1 – 0 | L2 - 4 |
| L3 – 2 | L4 – 0 |
| L5 – 0 | |
MP – MEDIA PROTECTION
Total: 4 Practices
| L1 – 1 | L2 - 3 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
PS – PERSONNEL SECURITY
Total: 2 Practices
| L1 – 0 | L2 - 2 |
| L3 – 0 | L4 – 0 |
| L5 – 0 | |
PE- PHYSICAL PROTECTION
Total: 5 Practices
| L1 – 4 | L2 - 1 |
| L3 – 1 | L4 – 0 |
| L5 – 0 | |
RE - RECOVERY
Total: 2 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 0 |
| L5 – 1 | |
RM – RISK MANAGEMENT
Total: 3 Practices
| L1 – 0 | L2 - 3 |
| L3 – 3 | L4 – 4 |
| L5 – 2 | |
CA – SECURITY ASSESSMENT
Total: 3 Practices
| L1 – 0 | L2 - 3 |
| L3 – 2 | L4 – 3 |
| L5 – 0 | |
SA – SITUATIONAL AWARENESS
Total: 0 Practices
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
SC – SYSTEM AND COMMUNICATIONS PROTECTION
Total: 4 Practices
| L1 – 2 | L2 - 2 |
| L3 – 15 | L4 – 5 |
| L5 – 3 | |
SI – SYSTEM AND INFORMATION INTEGRITY
Total: 7 Practices
| L1 – 4 | L2 - 3 |
| L3 – 3 | L4 – 1 |
| L5 – 2 | |
AC – ACCESS CONTROL
Total: 22 Practices
| L1 – 4 | L2 - 10 |
| L3 – 8 | L4 – 3 |
| L5 – 1 | |
AM – ASSET MANAGEMENT
Total: 1 Practice
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 1 |
| L5 – 0 | |
AU – AUDIT AND ACCOUNTABILITY
Total: 11 Practices
| L1 – 0 | L2 - 4 |
| L3 – 7 | L4 – 2 |
| L5 – 1 | |
AT – AWARENESS AND TRAINING
Total: 3 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
CM – CONFIGURATION MANAGEMENT
Total: 9 Practices
| L1 – 0 | L2 - 6 |
| L3 – 3 | L4 – 1 |
| L5 – 1 | |
IA – IDENTIFICATION AND AUTHENTICATION
Total: 11 Practices
| L1 – 2 | L2 - 5 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
IR – INCIDENT RESPONSE
Total: 7 Practices
| L1 – 0 | L2 - 5 |
| L3 – 2 | L4 – 2 |
| L5 – 4 | |
MA – MAINTENANCE
Total: 6 Practices
| L1 – 0 | L2 - 4 |
| L3 – 2 | L4 – 0 |
| L5 – 0 | |
MP – MEDIA PROTECTION
Total: 8 Practices
| L1 – 1 | L2 - 3 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
PS – PERSONNEL SECURITY
Total: 2 Practices
| L1 – 0 | L2 - 2 |
| L3 – 0 | L4 – 0 |
| L5 – 0 | |
PE- PHYSICAL PROTECTION
Total: 6 Practices
| L1 – 4 | L2 - 1 |
| L3 – 1 | L4 – 0 |
| L5 – 0 | |
RE - RECOVERY
Total: 3 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 0 |
| L5 – 1 | |
RM – RISK MANAGEMENT
Total: 6 Practices
| L1 – 0 | L2 - 3 |
| L3 – 3 | L4 – 4 |
| L5 – 2 | |
CA – SECURITY ASSESSMENT
Total: 5 Practices
| L1 – 0 | L2 - 3 |
| L3 – 2 | L4 – 3 |
| L5 – 0 | |
SA – SITUATIONAL AWARENESS
Total: 1 Practice
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
SC – SYSTEM AND COMMUNICATIONS PROTECTION
Total: 19 Practices
| L1 – 2 | L2 - 2 |
| L3 – 15 | L4 – 5 |
| L5 – 3 | |
SI – SYSTEM AND INFORMATION INTEGRITY
Total: 10 Practices
| L1 – 4 | L2 - 3 |
| L3 – 3 | L4 – 1 |
| L5 – 2 | |
AC – ACCESS CONTROL
Total: 25 Practices
| L1 – 4 | L2 - 10 |
| L3 – 8 | L4 – 3 |
| L5 – 1 | |
AM – ASSET MANAGEMENT
Total: 2 Practices
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 1 |
| L5 – 0 | |
AU – AUDIT AND ACCOUNTABILITY
Total: 13 Practices
| L1 – 0 | L2 - 4 |
| L3 – 7 | L4 – 2 |
| L5 – 1 | |
AT – AWARENESS AND TRAINING
Total: 5 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
CM – CONFIGURATION MANAGEMENT
Total: 10 Practices
| L1 – 0 | L2 - 6 |
| L3 – 3 | L4 – 1 |
| L5 – 1 | |
IA – IDENTIFICATION AND AUTHENTICATION
Total: 11 Practices
| L1 – 2 | L2 - 5 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
IR – INCIDENT RESPONSE
Total: 9 Practices
| L1 – 0 | L2 - 5 |
| L3 – 2 | L4 – 2 |
| L5 – 4 | |
MA – MAINTENANCE
Total: 6 Practices
| L1 – 0 | L2 - 4 |
| L3 – 2 | L4 – 0 |
| L5 – 0 | |
MP – MEDIA PROTECTION
Total: 8 Practices
| L1 – 1 | L2 - 3 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
PS – PERSONNEL SECURITY
Total: 2 Practices
| L1 – 0 | L2 - 2 |
| L3 – 0 | L4 – 0 |
| L5 – 0 | |
PE- PHYSICAL PROTECTION
Total: 6 Practices
| L1 – 4 | L2 - 1 |
| L3 – 1 | L4 – 0 |
| L5 – 0 | |
RE - RECOVERY
Total: 3 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 0 |
| L5 – 1 | |
RM – RISK MANAGEMENT
Total: 10 Practices
| L1 – 0 | L2 - 3 |
| L3 – 3 | L4 – 4 |
| L5 – 2 | |
CA – SECURITY ASSESSMENT
Total: 8 Practices
| L1 – 0 | L2 - 3 |
| L3 – 2 | L4 – 3 |
| L5 – 0 | |
SA – SITUATIONAL AWARENESS
Total: 3 Practices
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
SC – SYSTEM AND COMMUNICATIONS PROTECTION
Total: 24 Practices
| L1 – 2 | L2 - 2 |
| L3 – 15 | L4 – 5 |
| L5 – 3 | |
SI – SYSTEM AND INFORMATION INTEGRITY
Total: 11 Practices
| L1 – 4 | L2 - 3 |
| L3 – 3 | L4 – 1 |
| L5 – 2 | |
AC – ACCESS CONTROL
Total: 26 Practices
| L1 – 4 | L2 - 10 |
| L3 – 8 | L4 – 3 |
| L5 – 1 | |
AM – ASSET MANAGEMENT
Total: 2 Practices
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 1 |
| L5 – 0 | |
AU – AUDIT AND ACCOUNTABILITY
Total: 14 Practices
| L1 – 0 | L2 - 4 |
| L3 – 7 | L4 – 2 |
| L5 – 1 | |
AT – AWARENESS AND TRAINING
Total: 5 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
CM – CONFIGURATION MANAGEMENT
Total: 11 Practices
| L1 – 0 | L2 - 6 |
| L3 – 3 | L4 – 1 |
| L5 – 1 | |
IA – IDENTIFICATION AND AUTHENTICATION
Total: 11 Practices
| L1 – 2 | L2 - 5 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
IR – INCIDENT RESPONSE
Total: 13 Practices
| L1 – 0 | L2 - 5 |
| L3 – 2 | L4 – 2 |
| L5 – 4 | |
MA – MAINTENANCE
Total: 6 Practices
| L1 – 0 | L2 - 4 |
| L3 – 2 | L4 – 0 |
| L5 – 0 | |
MP – MEDIA PROTECTION
Total: 8 Practices
| L1 – 1 | L2 - 3 |
| L3 – 4 | L4 – 0 |
| L5 – 0 | |
PS – PERSONNEL SECURITY
Total: 2 Practices
| L1 – 0 | L2 - 2 |
| L3 – 0 | L4 – 0 |
| L5 – 0 | |
PE- PHYSICAL PROTECTION
Total: 6 Practices
| L1 – 4 | L2 - 1 |
| L3 – 1 | L4 – 0 |
| L5 – 0 | |
RE - RECOVERY
Total: 4 Practices
| L1 – 0 | L2 - 2 |
| L3 – 1 | L4 – 0 |
| L5 – 1 | |
RM – RISK MANAGEMENT
Total: 12 Practices
| L1 – 0 | L2 - 3 |
| L3 – 3 | L4 – 4 |
| L5 – 2 | |
CA – SECURITY ASSESSMENT
Total: 8 Practices
| L1 – 0 | L2 - 3 |
| L3 – 2 | L4 – 3 |
| L5 – 0 | |
SA – SITUATIONAL AWARENESS
Total: 3 Practices
| L1 – 0 | L2 - 0 |
| L3 – 1 | L4 – 2 |
| L5 – 0 | |
SC – SYSTEM AND COMMUNICATIONS PROTECTION
Total: 27 Practices
| L1 – 2 | L2 - 2 |
| L3 – 15 | L4 – 5 |
| L5 – 3 | |
SI – SYSTEM AND INFORMATION INTEGRITY
Total: 13 Practices
| L1 – 4 | L2 - 3 |
| L3 – 3 | L4 – 1 |
| L5 – 2 | |
Note: *FCI → Federal Contract Information; **CUI → Controlled Unclassified Information; ***APTs → Advanced Persistent Threats