32 C.F.R. § 170.14
CMMC Model
(a) Overview. The CMMC Model incorporates the security requirements from:
(1) 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
(2) NIST SP 800-171 R2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (incorporated by reference, see § 170.2); and
(3) Selected security requirements from NIST SP 800-172 Feb2021, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (incorporated by reference, see § 170.2).
(b) CMMC domains. The CMMC Model consists of domains that map to the Security Requirement Families defined in NIST SP 800-171 R2 (incorporated by reference, see § 170.2).
(c) CMMC level requirements. CMMC Levels 1-3 utilize the safeguarding requirements and security requirements specified in 48 CFR 52.204-21 (for Level 1), NIST SP 800-171 R2 (incorporated by reference, see § 170.2) (for Level 2), and selected security requirements from NIST SP 800-172 Feb2021 (incorporated by reference, see § 170.2) (for Level 3). This paragraph discusses the numbering scheme and the security requirements for each level.
(1) Numbering. Each security requirement has an identification number in the format—DD.L#-REQ—where:
(i) DD is the two-letter domain abbreviation;
(ii) L# is the CMMC level number; and
(iii) REQ is the 48 CFR 52.204-21 paragraph number, NIST SP 800-171 R2 requirement number, or NIST SP 800-172 Feb2021 requirement number.
(2) CMMC Level 1 security requirements. The security requirements in CMMC Level 1 are those set forth in 48 CFR 52.204-21(b)(1)(i) through (xv).
(3) CMMC Level 2 security requirements. The security requirements in CMMC Level 2 are identical to the requirements in NIST SP 800-171 R2.
(4) CMMC Level 3 security requirements. The security requirements in CMMC Level 3 are selected from NIST SP 800-172 Feb2021, and where applicable, Organization-Defined Parameters (ODPs) are assigned. Table 1 to this paragraph identifies the selected requirements and applicable ODPs that represent the CMMC Level 3 security requirements. ODPs for the NIST SP 800-172 Feb2021 requirements are italicized, where applicable:
| Security requirement No.* | CMMC Level 3 security requirements (selected NIST SP 800-172 Feb2021 security requirement with DoD ODPs italicized) |
|---|---|
| (i) AC.L3-3.1.2e | Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization. |
| (ii) AC.L3-3.1.3e | Employ |
| (iii) AT.L3-3.2.1e | Provide awareness training |
| (iv) AT.L3-3.2.2e | Include practical exercises in awareness training for |
| (v) CM.L3-3.4.1e | Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components. |
| (vi) CM.L3-3.4.2e | Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, |
| (vii) CM.L3-3.4.3e | Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components. |
| (viii) IA.L3-3.5.1e | Identify and authenticate |
| (ix) IA.L3-3.5.3e | Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile. |
| (x) IR.L3-3.6.1e | Establish and maintain a security operations center capability that operates |
| (xi) IR.L3-3.6.2e | Establish and maintain a cyber-incident response team that can be deployed by the organization within |
| (xii) PS.L3-3.9.2e | Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI. |
| (xiii) RA.L3-3.11.1e | Employ |
| (xiv) RA.L3-3.11.2e | Conduct cyber threat hunting activities |
| (xv) RA.L3-3.11.3e | Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components. |
| (xvi) RA.L3-3.11.4e | Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination. |
| (xvii) RA.L3-3.11.5e | Assess the effectiveness of security solutions |
| (xviii) RA.L3-3.11.6e | Assess, respond to, and monitor supply chain risks associated with organizational systems and system components. |
| (xix) RA.L3-3.11.7e | Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan |
| (xx) CA.L3-3.12.1e | Conduct penetration testing |
| (xxi) SC.L3-3.13.4e | Employ |
| (xxii) SI.L3-3.14.1e | Verify the integrity of |
| (xxiii) SI.L3-3.14.3e | Ensure that |
| (xxiv) SI.L3-3.14.6e | Use threat indicator information and effective mitigations obtained from, |
| * Roman numerals in parentheses before the Security Requirement are for numbering purposes only. The numerals are not part of the naming convention for the requirement. | |
(d) Implementation. Assessment of security requirements is prescribed by NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800-172A Mar2022 (incorporated by reference, see § 170.2). Descriptive text in these documents support OSA implementation of the security requirements and use the terms organization-defined and periodically. Except where referring to Organization-Defined Parameters (ODPs), organization-defined means as determined by the OSA. Periodically means occurring at regular intervals. As used in many requirements within CMMC, the interval length is organization-defined to provided contractor flexibility, with an interval length of no more than one year.