The CMMC framework itself is structured, as other maturity frameworks, into an overarching model. That model is then broken into domains, processes, capabilities, and practices. CMMC is considered a “unified framework”, applicable to all DoD contractors and required by the Defense Federal Acquisitions Regulation or DFAR, and implemented at the DoD contracting level throughout all DoD components. Within the Model there are: 17 capability domains that include 43 capabilities, 5 processes levels to measure process maturity, and 171 practices across those five levels to measure technical capabilities.
For anyone who has studied the DoD or other Federal agency implementations of the NIST Risk Management and Cybersecurity framework, or those familiar with the control library contained within NIST SP 800-53, the 17 capability areas should be fairly familiar. These capability areas follow the NIST framework of control families within SP 800-53 and their names and functions follow in a similar fashion. Access Control, Incident Response, Awareness and Training, System and Information Integrity, and so forth. In fact, the requirements of the capabilities are intended to drive the “in full” implementation of controls from the families outlined in NIST SP 800-53 directly. The five processes include:
- Reviewed, and
The 171 practices progress across five Practice levels that are as follows:
- Basic Cyber hygiene: requiring only 17 practices,
- Intermediate cyber hygiene: requiring 72 practices,
- Good cyber hygiene: requiring 130 practices,
- Proactive cyber hygiene: requiring 156 practices, and
- Advanced cyber hygiene: requiring the implementation of all 171 identified practices through individual controls.