CMMC Framework: Protecting FCI and CUI across the DIB

Cybersecurity Maturity Model Certification (CMMC) – Framework

The CMMC framework is built of 4 elements; security domains, capabilities, practices and processes and when combined they build best practice for the protection of an organisation and associated FCI and CUI.  These elements form the five cybersecurity maturity levels (Level 1, 2, 3, 4 and 5) which comprise the CMMC framework.  With Level 1 being the least mature and level 5 the most mature.

Cyber domains

The CMMC framework consist of 17 cyber security domains.  A domain is a distinct group of security practices which have similar attributes to each other and are key to the protection of FCI and CUI, either individually or in combination.  The following table outlines the domains defined in the CMMC for the protection of FCI and CUI within the CMMC framework.

Access Control
Asset Management
Audit and Accountability
Awareness and Training
Configuration Management
Identification and Authentication
Incident response
Media Protection
Personnel Security
Physical Protection
Risk Management
Security Assessment
Situational Awareness
System Communications Protection
Systems Information Integrity

Table 1: CMMC Domains


Each domain comprises several capabilities which an organisation is expected to achieve, to ensure that cyber security and the protection of FCI and CUI is sustainable.  Capabilities are a combination of practices, processes, skills, knowledge, tools and behaviours, when working together enable an organisation to protect FCI and CUI.

Establish system access requirements
Control internal system access
Control remote system access
Limit data access to authorized users and processes
Identify and document assets
Manage asset inventory
Define audit requirements
Perform auditing
Identify and protect audit information
Review and manage audit logs
Conduct security awareness activities
Conduct training
Establish configuration baselines
Perform configuration and change management
Grant access to authenticated entities
Plan incident response
Detect and report events
Develop and implement a response to a declared incident
Perform post incident reviews
Test incident response
Manage maintenance
Identify and mark media
Protect and control media
Sanitize media
Protect media during transport
Screen personnel
Protect federal contract information during personnel actions
Limit physical access
Manage back-ups
Manage information security continuity
Identify and evaluate risk
Manage risk
C033 Manage supply chain
Develop and manage a system security plan
Define and manage controls
Perform code reviews
Implement threat monitoring
Define security requirements for systems and communications
Control communications at system boundaries
Identify and manage information system flaws
Identify malicious content
Perform network and system monitoring
Implement advanced email protections

Table 2: CMMC Capabilities


In total (at Level 5) the CMMC framework identifies 171 practices, associated with the 17 security domains, mapped across the 5 maturity levels.  Practices applied at maturity level 1 and level 2 have been referenced from FAR 52.204-21 for the basic safeguarding of covered contractor information systems applied to the protection of Federal Control Information (FCI).  Practices applied at level 3, 4 and 5 are referenced from DFARS 252.204-7012 for the safeguarding of covered defence information and cyber Incident reporting.

Cybersecurity practices applied to each maturity level
CMMC Levels

Table 1: Cyber security practices and (D)FARS regulation per CMMC level

Maturity Processes

To ensure that security domains, capabilities and practices are implemented effectively and institutionalised.  5 maturity processes spanning levels 1, 2, 3, 4 and 5 are applied.  The processes are implemented to all security domains and to each of the 5 levels of cybersecurity maturity (Level 1, 2, 3, 4 and 5).  The processes describe the expected state of the practices applied at each level.  From the 17 practices being applied at level 1, through to the 171 practices being applied, documented, established, effective and optimised at level 5.

Maturity levelLevel descriptionProcess
ML 1Performed• There are no (Maturity) processes assessed at level 1.
• An organisation performs level 1 practices but they are not institutionalised.
ML 2Documented• Policies are established for each ‘security domain’ identified as required under level 2.
• CMMC practices are documented to implement the policy defined under level 2.
ML 3Managed• Practices are established, maintained, resourced and a plan of action is in place for their management.
ML 4Reviewed• The effectiveness of the practices are reviewed and measured.
ML 5Optimising• Practices are standardised and optimised across all organisational units.

Table 3: CMMC maturity processes


The DIB delivers a complex mix of products and services to the DoD through a supply chain of over 300,000 primary and subcontract suppliers.  A single cyber security model will not appropriately support such an economically and technically diverse supply chain with varying degrees of cyber maturity.  Given the depth, breadth and complexity of the products and services being delivered, from footwear through to complex air, land, and sea-based systems.   A cybersecurity maturity model is the most appropriate solution to achieve this. 

The CMMC comprises of 5 levels of cyber maturity.  Each level of the CMMC is designed to accommodate different levels of cybersecurity maturity, accommodating different levels of process maturity, increasing the number of security domains and levels of practice.  They are designed to support DIB suppliers who require basic cyber security hygiene at level 1, through to complex DIB suppliers who are actively targeted by threat actors, potentially from a nation state at level 5.  The level of compliance will be defined by the DoD during the procurement process, mapped to the data which the contract will managed, FCI or CUI and the perceived threat to the DoD.  With levels 1 and 2 being associated with FCI data and levels 3, 4 and 5 with CUI.

CMMC maturity and progression

Note:  CMMC process maturity associated at each level accumulates as maturity levels increase.  i.e. the 171 practices at level 5 must be performed, documented, managed, reviewed and optimised to protect CUI.

For Further information on CMMC levels 1, 2, 3, 4 and 5, the associated domains, practices and maturity processes the links below will help clarify.

Level 1Level 2Level 3Level 4Level 5

Table 4: CMMC levels 1, 2, 3, 4 and 5

Chartered Security Professional (CSyP)Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts