Cybersecurity Maturity Model Certification (CMMC)

The wait is finally over for contractors and subcontractors! 

You no longer have to worry about complicated instructions and unnecessary, overly-burdensome requirements.  The time to start your assessment is now. Check out the requirements here and schedule your free consultation with Craig today!

CMMC v1.0 Content Overview

The document includes:

  • CMMC Model and Summary
  • Appendix A: CMMC Model v1.0
  • Appendix B: Process and Practice Descriptions
  • Appendix C: Glossary
  • Appendix D: Abbreviations and Acronyms
  • Appendix E: Source Mapping
  • Appendix F: References

It is made up of:

  • 17 Domains
  • 43 capabilities
  • 71 practices to measure technical capabilities
  • 5 processes to measure the 5 levels

The framework of the CMMC is rather simple; it encompasses multiple Domains.  Within those Domains are:

  • Processes (spanning five levels)
  • Capabilities (also spanning five levels), which also include Practices across the five levels

Important Terms

Federal Contract Information (FCI): Information provided by or provided to the US Government  that is under contract but is not intended for public release.

Controlled Unclassified Information (CUI): Information that needs to be secured but isn't "classified."

Advanced Persistent Threats (APTs): Threats from highly sophisticated cyber adversaries.


CMMCv1.0 Maturity Levels (ML)


  • Practice 
    • "Basic Cyber Hygiene"
    • 17 Practices for basic safeguarding of FCI
  • Process
    • "Performed"
    • No actual processes
  • Only addresses practices from the FAR Clause 52.204-21.


  • Practice 
    • "Intermediate Cyber Hygiene"
    • 72 practices meant to help transition from safeguarding FCI to protecting CUI
  • Processes
    • "Documented"
    • 2 processes


  • Practice
    • "Good Cyber Hygiene"
    • 130 practices to protect CUI
  • Processes:
    • "Managed"
    • 1 process for safeguarding CUI
  • Includes all 110 security controls from NIST 800-171
  • All contractors handling CUI will be required to be CMMC Level 3 certified. 


  • Practice
    • "Proactive"
    • Includes 130 practices to protect CUI from Level 3 PLUS an additional 26 controls to not only protect CUI but to also reduce the risk of APTs
  • Processes:
    • "Reviewed"
    • Actively take corrective measures
  • Mostly sourced from NIST 800-171 RevB.


  • Practice
    • "Advanced/Proactive"
    • Includes the 130 practices to protect CUI from Level 3 PLUS the 26 controls from Level and and additinoal 15 practices to further reduce the risk of APTs
  • Processes:
    • ​​​​​​​"Optimizing"
    • Focus on protecting CUI from APTs
  • Mostly sourced from NIST 800-171 RevB.

CMMC References

The CMMC is the government's attempt at simplifying cyber security requirements for their contractors; it is essentially encompassing all of the following guidelines and requirements:

  • FAR Clause 52.204-21 b.1.i
  • NIST SP 800-171 Rev 1 3.1.1
  • CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11
  • NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
  • CERT RMM v1.2 TM:SG4:SP1
  • NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17
  • AU ACSC Essential Eight

Don't Lose Your Contract!

Here at Petronella Technology Group, we think of the CMMC as wonderful new guidance on cyber security for you and your business.  Schedule a free consultation with Craig today to make sure you are on the right track to keeping all of your valuable government contracts!