Submitted by on
Home> Guides> CMMC> Guide to CMMC Security and Compliance Requirements

Home > Guide to CMMC Security and Compliance Requirements

CMMC Security and Compliance Requirements

Share this Page

CMMC (Cybersecurity Maturity Model Certification) requirements are mandated for organizations in the defense industrial base (DIB) to ensure that federal contract information (FCI) and controlled unclassified information (CUI) are protected. Among the stated objectives for the CMMC requirements are:

  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience.
  • Dynamically enhance DIB cybersecurity to meet evolving threats.
  • Ensure accountability while minimizing barriers to compliance with U.S. Department of Defense (DoD) requirements.
  • Maintain public trust through high professional and ethical standards.
  • Safeguard sensitive information to enable and protect sensitive information.
The DoD considers CMMC requirements a critical part of its defense against cyber threats that continue to grow in volume and sophistication.

Launched on January 1, 2020, CMMC version 1.0 was recalled, and version 2.0 was issued in 2021. The CMMC requirements in version 2.0 reflect more than 850 public comments from the DIB, Congress, and other stakeholders. The key takeaways were that the first version needed to be updated to:

  • Reduce organizations’ costs to meet CMMC requirements 
  • Increase trust in the CMMC assessment ecosystem
  • Align CMMC requirements with other federal requirements and commonly accepted standards

What are CMMC Requirements?

CMMC requirements must be adhered to by all individuals and DIB organizations in the DoD supply chain. This includes hundreds of thousands of suppliers, contractors, and subcontractors that work with the DoD. 

At the lowest level, CMMC Level 1, self-assessments are deemed acceptable forms of verification that organizations are adhering to the requirements. At CMMC Level 3 and CMMC Level 3, a private third-party assessment organization (C3PAO) is required to conduct an audit and determine if the organization qualifies for certification.

About C3PAOs

The CMMC Accreditation Body (CMMC-AB) has established a process to qualify private C3PAO and assessors to determine CMMC levels.

The U.S. Department of Defense authorizes the CMMC Accreditation Body to be the sole authoritative source for operationalizing CMMC Assessments and Training with the DOD contractor community or other communities that may adopt the CMMC.

The CMMC-AB operates under an exclusive contract with the DoD that charges and authorizes the CMMC-AB to serve as the sole provider of CMMC licensing and certification for C3PAOs, Training Providers, Instructors, and Assessors.  


Source: The CMMC Accreditation Body

CMMC Compliance Requirements and Regulations

While CMMC requirements are closely aligned with NIST, the two are not synonymous. CMMC requirements include quite a bit of inspiration from NIST, but also from other frameworks. Following is a summary of the 

frameworks that are included in the CMMC. 

At a Glance:  Other Frameworks and Cybersecurity Principles Included in CMMC

CMMC Level 1
FAR 52.204-21  

CMMC Level 2
FAR 52.204-21  
NIST SP 800-171 controls 

CMMC Level 3
CERT RMM v1.2
CIS Critical Security Controls (CSC) 7.1
DFARS 70s (7012, 7019, 7020, 7021)
FAR 52.204-21  
ISO 27002
NIST SP 800-53
NIST SP 800-171  
NIST SP 800-172
CUI (Controlled Unclassified Information) Controls
NFO (Non-Federal Organization) Controls

  • CERT RMM v1.2
    Provides DIB suppliers and contractors with the CERT Resilience Management Model’s (CERT-RMM) process areas, generic goals and practices, glossary, and acronyms
  • CIS CSC 7.1
    Gives DIB suppliers and contractors a prioritized set of best practices to use to improve their cybersecurity posture
  • DFARS 7012
    Requires DIB suppliers and contractors to provide “adequate security” for covered defense information that is processed, stored or transmitted on the contractor’s internal information system or network
  • DFARS 7019
    Requires DIB suppliers and contractors to correctly report and maintain their self-assessments concerning compliance with the NIST 800-171 cybersecurity framework under DFARS 7012
  • DFARS 7020
    Informs DIB suppliers and contractors that the DoD has the right to access “facilities, systems and personnel” that manage, process, store, or transmit controlled unclassified information in the event the DoD deems it necessary to perform a Medium or High Assessment on them
  • FAR 52.204-21  
    Specifies 15 security requirements that DIB suppliers and contractors have to implement to safeguard a category of information classified as FCI or CUI
  • ISO 27002
    Includes a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management
  • NIST SP 800-53
    Defines the minimum security controls for all federal information systems except those related to national security
  • NIST SP 800-171  
    Provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI)
  • NIST SP 800-172
    Enhances security requirements for protecting the confidentiality of CUI: (1) when the information is resident in nonfederal systems and organizations; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry


CMMC Security Requirements

CMMC requirements at Level 1 include 17 security controls under 6 domains.

1. Access Control (A.C.)4 controls
2. Identification and Authentication (I.A.)2 controls
3. Media Protection (M.P.)1 control
4. Physical Protection (P.E.)4 controls
5. System and Communication Protections (S.C.)2 controls
6. System and Information Integrity (S.I.)  4 controls

CMMC requirements at Level 2 include 110 controls grouped under 14 domains and  

1. Access Control (A.C.)22 controls
2. Awareness Training (AT)3 controls
3. Audit and Accountability (A.U.)9 controls
4. Configuration Management (CM)9 controls
5. Identification and Authentication (I.A.)11 controls
6. Incident Response (I.R.)3 controls
7. Maintenance (M.A.)6 controls
8. Media Protection (M.P.)9 controls
9. Personnel Security (P.S.)2 controls
10. Physical Protection (P.E.)6 controls
11. Risk Assessment (R.A.)3 controls
12. Security Assessment (S.A.)4 controls
13. System and Communications Protection (S.C.)16 controls
14. System and Information Integrity (S.I.)7 controls

CMMC requirements at Level 3 include 130 controls grouped under 16 domains and those under CMMC Levels 1 and 2.  

1. Access Control (A.C.)8 controls
2. Asset Management1 control
3. Audit and Accountability7 controls
4. Awareness Training (A.T.)1 control
5. Configuration Management (C.M.)3 controls
6. Identification and Authentication (I.A.)4 controls
7. Incident Response (I.R.)2 controls
8. Maintenance (M.A.)2 controls
9. Media Protection (M.P.)4 controls
10. Physical Protection 6 controls
11. Recovery1 control
12. Risk Assessment (R.A.)3 controls
13. Security Assessment (S.A.)2 controls
14. Situational Awareness1 control
15. System and Communications Protection (S.C.)15 controls
16. System and Information Integrity (S.I.)3 controls

CMMC Requirements Embody Security Best Practices

The DoD considers CMMC requirements a critical part of its defense against cyber threats that continue to grow in volume and sophistication. While organizations must invest significant time, money, and discipline to adhere to the CMMC requirements, the result is better cybersecurity and the certification needed to bid on DoD contracts.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 2nd August, 2022

Share this Page