The interconnected controls for CMMC

Cybersecurity Maturity Model Certification (CMMC) is a robust security framework designed to safeguard the Department of Defense (DoD) by ensuring the security of all contractors and subcontractors in the Defense Industrial Base (DIB) supply chain that process, store, and transmit sensitive government information like Controlled Unclassified Information (CUI).

Due to the diversity and criticality of government data, the CMMC consists of various control areas, which differ according to the certification level. Each area encompasses critical cybersecurity practices you must implement if you plan on forming or maintaining a relationship with the DoD.

These practices are informally referred to as controls, so we’ll use this term in this guide as a synonym for the program’s practices. The guide will break down the key CMMC practices for ongoing compliance.

CMMC control areas at a glance

CMMC encompasses 14 control domains derived from NIST SP 800-171:

  1. Access Control (AC)
  2. Awareness & Training (AT)
  3. Audit & Accountability (AU)
  4. Configuration Management (CM)
  5. Identification & Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Media Protection (MP)
  9. Personnel Security (PS)
  10. Physical Protection (PE)
  11. Risk Assessment (RA)
  12. Security Assessment (CA)
  13. System and Communications Protection (SC)
  14. System and Information Integrity (SI)

Such comprehensive coverage enhances security for organizations in the DoD supply chain, as each domain can encompass many specific practices that vary by the chosen certification level.

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

CMMC certification levels and corresponding practices

CMMC offers three certification levels, as outlined in the following table:

Certification level Target audience Certificate validity
Level 1: Foundational Organizations in the Defense Supply Chain that handle Federal Contract Information (FCI) 1 year (with an accompanying compliance affirmation)
Level 2: Advanced Organizations within the Defense Supply Chain with access to FCI and Controlled Unclassified Information (CUI) 3 years (with annual compliance affirmations)
Level 3: Expert Organizations within the Defense Supply Chain with access to FCI and critical CUI 3 years (with annual compliance affirmations)

Each certification level encompasses different security practices that correspond to an organization’s role in the DoD supply chain and the criticality of shared information. Below, we’ll clarify the practices corresponding to each level.

CMMC Level 1 controls

CMMC Level 1 is the base-level certification program designed to establish basic cybersecurity practices for DoD contractors and subcontractors. As such, it only includes six out of the 14 CMMC control domains and has 15 specific practices in total.

The following table outlines the Level 1 domains with example practices:

CMMC Level 1 control domain Example practices
Access Control
  • Authorized Access Control
  • Transaction & Function Control
  • External Connections
Identification & Authentication
  • Identification (of information system users, processes, and devices)
  • Authentication (of the identified users, processes, and devices)
Media Protection
  • Media Disposal
Physical Protection
  • Limit Physical Access
  • Escort Visitors
  • Manage Physical Access
System and communications protection
  • Boundary Protection
  • Public-Access System Separation
System and information integrity
  • Flaw Remediation
  • Malicious Code Protection
  • System & File Scanning

To obtain a Level 1 certificate, you need to self-assess your IT infrastructure against these practices. The self-assessment encompasses various activities, such as:

  • Access reviews
  • Authentication policy reviews
  • Staff interviews

During the assessment, you’ll need to collect and review various documents that demonstrate CMMC compliance, such as:

  • Policy, procedure, and process documents
  • Security plans and planning documents
  • Training materials
  • Network, system, and data flow diagrams

After completing the self-assessment, you should enter the results into the Supplier Performance Risk System (SPRS). You must meet all of the applicable CMMC practices and affirm the implementation of the in-scope practices to get certified.

Your certificate will be valid for one year, after which you’ll need to repeat the entire self-assessment process. Alongside the results, you’ll have to provide annual compliance affirmations to maintain the certificate.

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

CMMC Level 2 controls

CMMC Level 2 addresses the security of sensitive CUI, so it’s not surprising that it encompasses a much broader range of practices and processes. It’s built around 110 practices derived from NIST SP 800-171 R2, which are split across all 14 domains.

The following table outlines some of the key domains not included in Level 1 certification alongside example practices:

CMMC Level 2 control domain Example practices
Audit & Accountability
  • System Audit
  • User Accountability
  • Reduction & Reporting
Configuration Management
  • System Baselining
  • Security Impact Analysis
  • Application Execution Policy
Incident Response
  • Incident Reporting
  • Incident Handling
  • Incident Response Testing
Maintenance
  • System Maintenance Control
  • Media Inspection
  • Nonlocal Maintenance
Security Assessment
  • Security Control Assessment
  • Operational Plan of Action
  • Security Control Monitoring

Depending on the specific information your organization can access, process, and share, you can choose between two Level 2 assessment types:

  1. A self-assessment for organizations that do not handle highly sensitive CUI
  2. A Certified Third-Party Assessor Organization (C3PAO) assessment for organizations handling prioritized CUI

Whichever option you choose, your certificate will be valid for three years, but you still need annual compliance affirmations. This doesn’t mean both assessments are equally valuable, though—a C3PAO assessment is typically considered a superior option due to the increased security assurance it provides.

Unlike Level 1 certification, Level 2 doesn’t require immediate adherence to all the in-scope practices. If you meet at least 80 percent (88/110 practices) but still have gaps, you can apply for a Conditional Certificate. 

To do so, you must accompany your assessment results with a Plan of Action & Milestones (POA&M)—a document that outlines how the gaps will be remediated. You have 180 days to remediate all gaps, after which you’ll receive the Final Certificate.

At this point, it’s crucial to track remediation against specified timelines. This helps you properly prioritize gap remediation activities and ensure accountability for fixing these gaps.

CMMC Level 3 controls

CMMC Level 3 certification builds on Level 2, which means you must first implement all 110 NIST SP 800-171 R2 practices before upgrading to Level 3.

This level focuses on securing sensitive, high-value information—specifically CUI—and helps protect against advanced cybersecurity threats. Achieving Level 3 demonstrates your organization's maturity in cybersecurity practices, which builds trust and helps position your company as a reliable partner.

In addition to 110 NIST 800-171 practices, Level 3 requires 24 more practices from NIST SP 800-172 (Feb 2021), which focuses on advanced threat protection. These additional practices are essential for strengthening your organization's defenses against sophisticated attacks, further improving your cybersecurity maturity.

The following table outlines some of the Level 3 control areas and their corresponding practices:

CMMC Level 3 control domain Example practices
Awareness and Training
  • Advanced Threat Awareness
  • Practical Training Exercises
Configuration management
  • Authoritative Repository
  • Automated Detection & Remediation
  • Automated Inventory
Incident Response
  • Security Operations Center
  • Cyber Incident Response Team
Risk Assessment
  • Threat-Informed Risk Assessment
  • Advanced Risk Identification
  • Supply Chain Risk Response
Security Assessment
  • Penetration Testing

The Level 3 assessment is government-led and conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which is responsible for overseeing the certification process for contractors in the defense sector. It encompasses various practices related to automation and extensive risk assessments, which makes it potentially resource-intensive.

The good news is that the Conditional Certificate is available for Level 3 under the same conditions as for Level 2. If your initial assessment reveals at least 80 percent compliance, you can submit a POA&M to receive an additional 180 days to implement the remaining practices.

As per the DoD’s official resources, your Level 3 (and Level 2) certification will lapse if you fail to affirm compliance annually. This means that even though the certificate lasts for three years, you’ll need to self-assess your security practices, policies, and procedures at least once a year to ensure ongoing adherence to CMMC practices.

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

Common challenges of CMMC certification

Pursuing CMMC certification can be laborious and time-consuming, especially if you're looking to obtain a Level 2 or Level 3 certificate. The related assessments are extensive and examine nearly every aspect of your security infrastructure, presenting notable challenges such as:

  • Scoping: Outlining a precise CMMC scope can be challenging, especially for organizations with complex IT infrastructures. You must identify where you store, process, and transmit FCI or CUI—including systems, applications, users, and data flows. Focusing resources on securing these critical areas is essential for reducing risk exposure and ensuring compliance efficiency.
  • Extensive documentation: You’ll need to gather comprehensive documentation to provide evidence of implementation of CMMC practices and affirm compliance confidently. You must outline precisely how you’ve met each practice and keep records updated as your organization evolves.
  • Resource constraints: SMBs may face greater challenges in implementing CMMC compared to larger organizations, mainly due to limited internal resources and inefficient workflows. Some practices require dedicated teams, which many SMBs lack, making it difficult to allocate the necessary time and expertise.
  • Disruption of daily activities: Self-assessments and third-party assessments necessary for CMMC certification can place significant pressure on IT and compliance teams. The same goes for other departments involved in the certification process, which might struggle to balance everyday tasks with compliance practices. You’ll also need to conduct targeted training on FCI and CUI handling to ensure organization-wide CMMC implementation, which adds to the time and effort you’ll spend on compliance.

The easiest and most cost-effective way to avoid these challenges is to adopt a compliance automation solution. The right platform should automate tedious tasks like evidence collection and provide clear guidance on implementation to remove guesswork.

Implement CMMC controls with Vanta

Vanta is a comprehensive trust management platform offers clear prescriptive guidance and resources to help you implement the in-scope CMMC controls. It offers a dedicated CMMC solution equipped with numerous useful features, such as:

  • Out-of-the-box support for all certification levels
  • Automated evidence collection supported by 375+ integrations
  • Centralized tracking of CMMC practices
  • Continuous monitoring of CMMC practices using automated tests

CMMC practices are largely sourced from NIST 800-171, so that’s the framework that significantly overlaps with CMMC. At Vanta, we have already done this work for our customers and cross-mapped these frameworks.”

Ethan Heller

Vanta also automatically cross-references your controls to avoid duplicative workflows.

While you can’t choose your Level 3 auditor, you can pick a reputable and helpful C3PAO for a Level 2 assessment as the prerequisite for Level 3 certification. To find the best option, you can tap into Vanta’s extensive partner network.

Schedule a custom demo to see Vanta in action.

{{cta_simple33="/cta-blocks"}} | CMMC product page

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

CMMC controls explained: A complete guide for DoD contractors

Written by
Vanta
Written by
Vanta
Reviewed by
Crystal Jackson
GRC Product SME

Looking to automate up to 50% of the work for CMMC?

The interconnected controls for CMMC

Cybersecurity Maturity Model Certification (CMMC) is a robust security framework designed to safeguard the Department of Defense (DoD) by ensuring the security of all contractors and subcontractors in the Defense Industrial Base (DIB) supply chain that process, store, and transmit sensitive government information like Controlled Unclassified Information (CUI).

Due to the diversity and criticality of government data, the CMMC consists of various control areas, which differ according to the certification level. Each area encompasses critical cybersecurity practices you must implement if you plan on forming or maintaining a relationship with the DoD.

These practices are informally referred to as controls, so we’ll use this term in this guide as a synonym for the program’s practices. The guide will break down the key CMMC practices for ongoing compliance.

CMMC control areas at a glance

CMMC encompasses 14 control domains derived from NIST SP 800-171:

  1. Access Control (AC)
  2. Awareness & Training (AT)
  3. Audit & Accountability (AU)
  4. Configuration Management (CM)
  5. Identification & Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Media Protection (MP)
  9. Personnel Security (PS)
  10. Physical Protection (PE)
  11. Risk Assessment (RA)
  12. Security Assessment (CA)
  13. System and Communications Protection (SC)
  14. System and Information Integrity (SI)

Such comprehensive coverage enhances security for organizations in the DoD supply chain, as each domain can encompass many specific practices that vary by the chosen certification level.

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

CMMC certification levels and corresponding practices

CMMC offers three certification levels, as outlined in the following table:

Certification level Target audience Certificate validity
Level 1: Foundational Organizations in the Defense Supply Chain that handle Federal Contract Information (FCI) 1 year (with an accompanying compliance affirmation)
Level 2: Advanced Organizations within the Defense Supply Chain with access to FCI and Controlled Unclassified Information (CUI) 3 years (with annual compliance affirmations)
Level 3: Expert Organizations within the Defense Supply Chain with access to FCI and critical CUI 3 years (with annual compliance affirmations)

Each certification level encompasses different security practices that correspond to an organization’s role in the DoD supply chain and the criticality of shared information. Below, we’ll clarify the practices corresponding to each level.

CMMC Level 1 controls

CMMC Level 1 is the base-level certification program designed to establish basic cybersecurity practices for DoD contractors and subcontractors. As such, it only includes six out of the 14 CMMC control domains and has 15 specific practices in total.

The following table outlines the Level 1 domains with example practices:

CMMC Level 1 control domain Example practices
Access Control
  • Authorized Access Control
  • Transaction & Function Control
  • External Connections
Identification & Authentication
  • Identification (of information system users, processes, and devices)
  • Authentication (of the identified users, processes, and devices)
Media Protection
  • Media Disposal
Physical Protection
  • Limit Physical Access
  • Escort Visitors
  • Manage Physical Access
System and communications protection
  • Boundary Protection
  • Public-Access System Separation
System and information integrity
  • Flaw Remediation
  • Malicious Code Protection
  • System & File Scanning

To obtain a Level 1 certificate, you need to self-assess your IT infrastructure against these practices. The self-assessment encompasses various activities, such as:

  • Access reviews
  • Authentication policy reviews
  • Staff interviews

During the assessment, you’ll need to collect and review various documents that demonstrate CMMC compliance, such as:

  • Policy, procedure, and process documents
  • Security plans and planning documents
  • Training materials
  • Network, system, and data flow diagrams

After completing the self-assessment, you should enter the results into the Supplier Performance Risk System (SPRS). You must meet all of the applicable CMMC practices and affirm the implementation of the in-scope practices to get certified.

Your certificate will be valid for one year, after which you’ll need to repeat the entire self-assessment process. Alongside the results, you’ll have to provide annual compliance affirmations to maintain the certificate.

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

CMMC Level 2 controls

CMMC Level 2 addresses the security of sensitive CUI, so it’s not surprising that it encompasses a much broader range of practices and processes. It’s built around 110 practices derived from NIST SP 800-171 R2, which are split across all 14 domains.

The following table outlines some of the key domains not included in Level 1 certification alongside example practices:

CMMC Level 2 control domain Example practices
Audit & Accountability
  • System Audit
  • User Accountability
  • Reduction & Reporting
Configuration Management
  • System Baselining
  • Security Impact Analysis
  • Application Execution Policy
Incident Response
  • Incident Reporting
  • Incident Handling
  • Incident Response Testing
Maintenance
  • System Maintenance Control
  • Media Inspection
  • Nonlocal Maintenance
Security Assessment
  • Security Control Assessment
  • Operational Plan of Action
  • Security Control Monitoring

Depending on the specific information your organization can access, process, and share, you can choose between two Level 2 assessment types:

  1. A self-assessment for organizations that do not handle highly sensitive CUI
  2. A Certified Third-Party Assessor Organization (C3PAO) assessment for organizations handling prioritized CUI

Whichever option you choose, your certificate will be valid for three years, but you still need annual compliance affirmations. This doesn’t mean both assessments are equally valuable, though—a C3PAO assessment is typically considered a superior option due to the increased security assurance it provides.

Unlike Level 1 certification, Level 2 doesn’t require immediate adherence to all the in-scope practices. If you meet at least 80 percent (88/110 practices) but still have gaps, you can apply for a Conditional Certificate. 

To do so, you must accompany your assessment results with a Plan of Action & Milestones (POA&M)—a document that outlines how the gaps will be remediated. You have 180 days to remediate all gaps, after which you’ll receive the Final Certificate.

At this point, it’s crucial to track remediation against specified timelines. This helps you properly prioritize gap remediation activities and ensure accountability for fixing these gaps.

CMMC Level 3 controls

CMMC Level 3 certification builds on Level 2, which means you must first implement all 110 NIST SP 800-171 R2 practices before upgrading to Level 3.

This level focuses on securing sensitive, high-value information—specifically CUI—and helps protect against advanced cybersecurity threats. Achieving Level 3 demonstrates your organization's maturity in cybersecurity practices, which builds trust and helps position your company as a reliable partner.

In addition to 110 NIST 800-171 practices, Level 3 requires 24 more practices from NIST SP 800-172 (Feb 2021), which focuses on advanced threat protection. These additional practices are essential for strengthening your organization's defenses against sophisticated attacks, further improving your cybersecurity maturity.

The following table outlines some of the Level 3 control areas and their corresponding practices:

CMMC Level 3 control domain Example practices
Awareness and Training
  • Advanced Threat Awareness
  • Practical Training Exercises
Configuration management
  • Authoritative Repository
  • Automated Detection & Remediation
  • Automated Inventory
Incident Response
  • Security Operations Center
  • Cyber Incident Response Team
Risk Assessment
  • Threat-Informed Risk Assessment
  • Advanced Risk Identification
  • Supply Chain Risk Response
Security Assessment
  • Penetration Testing

The Level 3 assessment is government-led and conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which is responsible for overseeing the certification process for contractors in the defense sector. It encompasses various practices related to automation and extensive risk assessments, which makes it potentially resource-intensive.

The good news is that the Conditional Certificate is available for Level 3 under the same conditions as for Level 2. If your initial assessment reveals at least 80 percent compliance, you can submit a POA&M to receive an additional 180 days to implement the remaining practices.

As per the DoD’s official resources, your Level 3 (and Level 2) certification will lapse if you fail to affirm compliance annually. This means that even though the certificate lasts for three years, you’ll need to self-assess your security practices, policies, and procedures at least once a year to ensure ongoing adherence to CMMC practices.

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

Common challenges of CMMC certification

Pursuing CMMC certification can be laborious and time-consuming, especially if you're looking to obtain a Level 2 or Level 3 certificate. The related assessments are extensive and examine nearly every aspect of your security infrastructure, presenting notable challenges such as:

  • Scoping: Outlining a precise CMMC scope can be challenging, especially for organizations with complex IT infrastructures. You must identify where you store, process, and transmit FCI or CUI—including systems, applications, users, and data flows. Focusing resources on securing these critical areas is essential for reducing risk exposure and ensuring compliance efficiency.
  • Extensive documentation: You’ll need to gather comprehensive documentation to provide evidence of implementation of CMMC practices and affirm compliance confidently. You must outline precisely how you’ve met each practice and keep records updated as your organization evolves.
  • Resource constraints: SMBs may face greater challenges in implementing CMMC compared to larger organizations, mainly due to limited internal resources and inefficient workflows. Some practices require dedicated teams, which many SMBs lack, making it difficult to allocate the necessary time and expertise.
  • Disruption of daily activities: Self-assessments and third-party assessments necessary for CMMC certification can place significant pressure on IT and compliance teams. The same goes for other departments involved in the certification process, which might struggle to balance everyday tasks with compliance practices. You’ll also need to conduct targeted training on FCI and CUI handling to ensure organization-wide CMMC implementation, which adds to the time and effort you’ll spend on compliance.

The easiest and most cost-effective way to avoid these challenges is to adopt a compliance automation solution. The right platform should automate tedious tasks like evidence collection and provide clear guidance on implementation to remove guesswork.

Implement CMMC controls with Vanta

Vanta is a comprehensive trust management platform offers clear prescriptive guidance and resources to help you implement the in-scope CMMC controls. It offers a dedicated CMMC solution equipped with numerous useful features, such as:

  • Out-of-the-box support for all certification levels
  • Automated evidence collection supported by 375+ integrations
  • Centralized tracking of CMMC practices
  • Continuous monitoring of CMMC practices using automated tests

CMMC practices are largely sourced from NIST 800-171, so that’s the framework that significantly overlaps with CMMC. At Vanta, we have already done this work for our customers and cross-mapped these frameworks.”

Ethan Heller

Vanta also automatically cross-references your controls to avoid duplicative workflows.

While you can’t choose your Level 3 auditor, you can pick a reputable and helpful C3PAO for a Level 2 assessment as the prerequisite for Level 3 certification. To find the best option, you can tap into Vanta’s extensive partner network.

Schedule a custom demo to see Vanta in action.

{{cta_simple33="/cta-blocks"}} | CMMC product page

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

Get started with CMMC

Start your CMMC journey with these related resources.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan

Vanta’s director of US government strategy and affairs shares how current and future contractors for the DoD can get CMMC certified.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
CMMC Checklist cover image

CMMC Checklist

This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.

CMMC Checklist
CMMC Checklist
The nst 800 - 1717 logo on a yellow background.

The ultimate guide to NIST 800-171

Jumpstart your NIST 800-171 compliance with Vanta's complete guide to this legally required security standard.

The ultimate guide to NIST 800-171
The ultimate guide to NIST 800-171