Professional Documents
Culture Documents
CMMC v1.0 Public Briefing 20200131 v2
CMMC v1.0 Public Briefing 20200131 v2
31 January 2020
Performance
Schedule
Cybersecurity
Performance
Schedule
Cost
Cost
CYBERSECURITY
CMMC Model v1.0: Number of Practices and Processes Introduced at each Level
Model
Incident Risk
Access Control
Response Management
(AC)
(IR) (RM)
Asset Security
Maintenance
Management Assessment
(MA)
(AM) (CA)
Identification and
Recovery
Authentication
(RE)
(IA)
LEVEL 5
OPTIMIZING
LEVEL 4
REVIEWED
LEVEL 3 5 PROCESSES
MANAGED Each practice is
LEVEL 2 4 PROCESSES documented,
DOCUMENTED Each practice is including lower levels
LEVEL 1 3 PROCESSES documented,
PERFORMED Each practice is including lower levels A policy exists that
2 PROCESSES documented, covers all activities
Each practice is including lower levels A policy exists that
0 PROCESSES documented, covers all activities A plan exists that
Select practices are including Level 1 A policy exists that includes all activities*
documented where practices cover all activities A plan exists that
required includes all activities* Activities are
A policy exists that A plan exists, is reviewed and
includes all activities maintained, and Activities are measured for
resourced that reviewed and effectiveness
includes all activities* measured for
effectiveness (results There is a
of the review is standardized,
shared with higher documented
level management) approach across all
applicable
*Planning activities may include mission, organizational units
goals, project plan, resourcing, training
needed, and involvement of relevant
stakeholders
LEVEL 5
ADVANCED / PROGRESSIVE
LEVEL 4
PROACTIVE
LEVEL 3 171 PRACTICES
LEVEL 2 GOOD CYBER HYGIENE Comply with the FAR
INTERMEDIATE CYBER 156 PRACTICES
HYGIENE Encompasses all
LEVEL 1 130 PRACTICES Comply with the FAR practices from NIST
BASIC CYBER HYGIENE SP 800-171 r1
72 PRACTICES Comply with the FAR Encompasses all
practices from NIST SP Includes a select
17 PRACTICES 800-171 r1 subset of 4 practices
Comply with the FAR Encompasses all
from Draft NIST SP
practices from NIST
Equivalent to all 800-171B
SP 800-171 r1
practices in Federal Includes a select Includes a select
Acquisition Regulation subset of 48 practices subset of 11 practices Includes an
(FAR) 48 CFR 52.204- from Draft NIST SP additional 11
from the NIST SP 800- Includes an additional
21 800-171B practices to
171 r1 20 practices to
demonstrate an
support good cyber
Includes an additional advanced
Includes an additional hygiene
15 practices to cybersecurity
7 practices to support
demonstrate a program
intermediate cyber
hygiene proactive
cybersecurity program
LEVEL 5
ADVANCED / PROGRESSIVE
LEVEL 3
GOOD CYBER HYGIENE
LEVEL 2
INTERMEDIATE CYBER HYGIENE
72 PRACTICES + 58 Practices
LEVEL 1
BASIC CYBER HYGIENE
17 PRACTICES + 55 Practices
Appendix A Processes
• Sources include:
– FAR Clause 52.204-21
– NIST SP 800-171 Rev 1
– Draft NIST SP 800-171B
– CIS Controls v7.1
– NIST Framework for Improving Critical Infrastructure
Cybersecurity (CSF) v1.1
– CERT Resilience Management Model (CERT RMM)
v1.2
– NIST SP 800-53 Rev 4
– Others such as CMMC, UK NCSC Cyber Essentials, or Appendix E Source Mapping
AU ACSC Essential Eight