What is CMMC compliance?

CMMC compliance is the Cybersecurity Maturity Model Certification program that ensures DoD contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through defined Practices and Process maturity levels.

What are the CMMC Maturity Levels?

CMMC defines five Maturity Levels for Processes: Level 1 - Performed, Level 2 - Documented, Level 3 - Managed, Level 4 - Reviewed, and Level 5 - Optimizing. Each level represents the depth and institutionalization of cybersecurity Practices across an organization.

How do Domains, Capabilities, and Practices relate in CMMC?

CMMC compliance is organized hierarchically: 17 Domains represent high-level cybersecurity areas, each Domain contains one or more Capabilities, and each Capability includes Practices (controls) that must be implemented to achieve certification.

What is the difference between NIST 800-171 and CMMC?

NIST 800-171 is a self-assessment framework with 110 controls for protecting CUI. CMMC builds on NIST 800-171 by adding Levels, requiring third-party assessments, and measuring both Practices and Process maturity for certification.

How can my company prepare for CMMC compliance?

The best preparation is to achieve full NIST 800-171 compliance, document Policies and Procedures, and implement Practices consistently. Working with experienced cybersecurity firms like RSI Security can ensure readiness and improve chances of certification success.

How to Achieve CMMC Compliance: A Comprehensive Guide

RSI Security

1 week ago

Cybersecurity Maturity Model Certification (CMMC) compliance is a Department of Defense (DoD) framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base (DIB). The CMMC program applies to all DoD contractors and subcontractors that handle sensitive government data, regardless of size or contract value.

An estimated 300,000 companies within the DIB will need to meet CMMC compliance requirements to remain eligible for DoD contracts. For many organizations, this represents a significant shift in how cybersecurity controls, policies, and documentation are managed.

Although the DoD has established the CMMC Advisory Board, formal certification through authorized Third-Party Assessment Organizations (C3PAOs) is still rolling out. However, organizations do not need to wait. There are critical preparation steps companies can take now to strengthen their security posture, close compliance gaps, and avoid last-minute remediation. Proactive preparation is especially important for organizations that have historically lacked mature documentation, defined controls, or consistent security processes.

Level 1: Federal Contract Information (FCI) Protection

CMMC Level 1 compliance is designed for organizations that only handle Federal Contract Information (FCI) and do not process Controlled Unclassified Information (CUI). This level allows smaller or lower-risk DoD contractors to meet baseline cybersecurity requirements while remaining eligible to do business with the Department of Defense.

Rather than imposing excessive controls, the CMMC framework scales requirements based on the type of data an organization handles. Companies that work exclusively with FCI can certify at Level 1 without implementing the more complex security controls required for higher levels. This approach helps organizations that previously found cybersecurity compliance burdensome or unattainable establish a manageable security baseline.

CMMC Level 1 requirements are primarily derived from FAR Clause 52.204-21, which outlines 15 basic safeguarding requirements for FCI. While the broader CMMC framework references standards such as NIST SP 800-171, CIS Controls, and NIST SP 800-53, these more advanced controls apply primarily to organizations that handle CUI. Companies already aligned with NIST SP 800-171’s 110 controls are well positioned to pursue CMMC Level 2 or higher, but they are not required for Level 1 certification.

NIST 800-171 vs. CMMC Compliance: Key Differences

While NIST 800-171 and CMMC compliance share the goal of protecting Controlled Unclassified Information (CUI), there are important differences contractors need to understand.

NIST 800-171 requires organizations to implement all 110 security controls with documented processes, procedures, and practices. Its scope covers all nonfederal systems and organizations that process, store, or transmit CUI, or provide protection for such systems. Compliance is largely self-assessed; there is no formal third-party verification, making it an honor-based framework.

CMMC, on the other hand, introduces maturity levels for both Processes and Practices. Contractors are not required to adopt the full set of NIST 800-171 controls if their operations involve lower-risk activities. However, certification requires alignment between Processes and Practices:

If your Practices meet Level 3 across all domains, but your Processes are at Level 2, your certification will be capped at Level 2.
Level 2 serves as a transitional level, preparing organizations for full compliance at higher levels.

Another key distinction is third-party validation. Unlike NIST 800-171, CMMC compliance requires assessment by an authorized Third-Party Assessment Organization (C3PAO). Proof of certification will be mandatory during the bidding process, and noncompliance can directly impact contract awards. Levels will be explicitly referenced in both Requests for Information (RFIs) and Requests for Proposals (RFPs).

Tip: Download our CMMC Whitepaper: Best Cybersecurity Practices for DoD Contractors for actionable guidance on preparing for certification.

Assess your CMMC compliance

Handling Controlled Unclassified Information (CUI) in CMMC Levels 3–5

CMMC Levels 3 through 5 are focused on protecting Controlled Unclassified Information (CUI). Any contract that involves CUI will require contractors to meet higher compliance standards, making these levels more demanding than Level 1 or 2.

Level 3 requires organizations to implement all NIST SP 800-171 controls for CUI.
Levels 4 and 5 build on Level 3 by introducing additional controls and mature Processes designed to protect against Advanced Persistent Threats (APTs), such as nation-state-sponsored or organized cyberattacks.

To navigate these requirements, it’s important to understand how CMMC is structured:

Domains – Broad areas of cybersecurity focus (e.g., Access Control, Incident Response).
Capabilities – Subcategories within each Domain that represent specific security objectives.
Practices – One or more security controls supporting each Capability.

Certification depends on both Practices and Processes. Achieving all required Practices alone is not sufficient. Organizations must also demonstrate maturity in Processes according to the CMMC Maturity Model. This ensures that security measures are not only implemented but institutionalized and repeatable.

Understanding CMMC Domains

In CMMC compliance, Domains are defined as “key sets of capabilities for cybersecurity”. They act as high-level categories that organize the overall compliance framework, helping organizations implement security controls in a structured and systematic way.

Most CMMC Domains are derived from Federal Information Processing Standards (FIPS) Publication 200 and correlated requirement families from NIST SP 800-171, ensuring alignment with widely recognized cybersecurity standards.

CMMC Top-Level Domains

The CMMC framework consists of 17 Domains, each covering a critical area of cybersecurity:

Domain	Domain	Domain
Access Control (AC)	Audit and Accountability (AU)	Awareness and Training (AT)
Configuration Management (CM)	Identification and Authentication (IA)	Incident Response (IR)
Maintenance (MA)	Media Protection (MP)	Personnel Security (PS)
Physical Protection (PE)	Risk Management (RM)	Security Assessment (CA)
System and Communications Protection (SC)	System and Information Integrity (SI)	Situational Awareness (SA)
Asset Management (AM)	Recovery (RE)

Each Domain contains Capabilities and Practices, which define the specific security measures your organization must implement to achieve CMMC compliance.

Understanding CMMC Capabilities

In CMMC compliance, Capabilities are defined as “achievements that ensure cybersecurity within each Domain.” They represent the specific objectives an organization must accomplish to meet the requirements of a Domain.

Each Domain contains one or more Capabilities, providing a structured approach to implementing security controls. For example:

Access Control (AC) Domain includes four Capabilities:
1. Establish system access requirements
2. Control internal system access
3. Control remote system access
4. Limit data access to authorized users and processes
Asset Management (AM) Domain contains a single Capability: Identify and document assets.

By achieving the required Capabilities under each Domain, organizations can implement the Practices necessary to demonstrate CMMC compliance at their target Level.

Understanding CMMC Practices

In CMMC compliance, each Capability consists of one or more Practices. Practices are essentially cybersecurity controls, representing the specific actions an organization must implement to meet the requirements of a Capability.

Level 1 certification requires meeting all 17 Practices outlined in FAR Clause 52.204-21, focused on protecting Federal Contract Information (FCI). At this level, the organization is not handling Controlled Unclassified Information (CUI).
Level 3 certification requires compliance with all NIST SP 800-171 Rev. 1 controls plus additional CMMC Practices. This ensures both FCI and CUI are adequately protected.

For reference, the number of Practices per Domain and Level is detailed in CMMC v1.0, page 11, and the Level 1 Practices for each Domain are listed starting in section 2.7.2, page 12 of the official documentation.

Example: The Level 1 Practices for the Access Control (AC) Domain include specific controls designed to establish system access requirements, manage internal and remote system access, and limit data access to authorized users.

By implementing the required Practices for your desired Level, your organization ensures it meets the CMMC compliance requirements for cybersecurity and eligibility for DoD contracts.

Access Control (AC) Practices for CMMC Compliance

Level 1 Access Control (AC) Practices focus on protecting Federal Contract Information (FCI). Key practices include:

Limit system access to authorized users, processes acting on behalf of users, or devices (including other information systems).
Restrict access to only the types of transactions and functions that authorized users are permitted to execute.
Verify and control external system connections, limiting use of outside information systems.
Manage information posted or processed on publicly accessible systems to prevent unauthorized exposure.

Overview of Practices Across CMMC Levels

CMMC compliance includes 171 Practices across Levels 1–5, with requirements scaling based on the sensitivity of data handled:

Level	Requirements	Notes
Level 1	17 Practices (FAR 52.204-21)	Focused on FCI protection
Level 2	65 NIST SP 800-171 Practices + 7 additional Practices	Transitional level; includes all Level 1 Practices; helps prepare for Level 3
Level 3	110 NIST SP 800-171 Practices + 20 additional Practices	Includes all Practices from Levels 1 and 2; required for CUI protection
Level 4	All Practices from Levels 1–3 + 26 additional Practices	Enhanced protection against Advanced Persistent Threats (APTs)
Level 5	All Practices from Levels 1–4 + 15 additional Practices	Maximum maturity for CUI protection and APT defense

Tip: Level 2 is a stepping stone to Level 3, allowing companies to get certified for their current efforts while preparing for more stringent requirements.

Company Maturity in CMMC Compliance

CMMC compliance is not just about implementing security Practices or controls; it also requires organizations to demonstrate Process maturity.

Process maturity refers to how institutionalized and ingrained cybersecurity activities are within a company’s operations. According to the DoD, the more deeply a Practice is embedded, the more likely the organization is to consistently perform it, even under pressure or during high-stress situations.

In practical terms, this means that achieving CMMC certification requires more than checking boxes—it requires that your Processes are repeatable, well-documented, and resilient, ensuring consistent outcomes across the organization.

CMMC Process Requirements

To achieve CMMC compliance at a specific Level, organizations must implement not only the required Practices (controls) but also the corresponding Processes. This ensures that security measures are not only established but consistently effective.

The five CMMC Maturity Levels for Processes are:

Performed – Practices are executed but not formally documented.
Documented – Practices are written down and standardized.
Managed – Practices are actively monitored and managed.
Reviewed – Practices are regularly assessed for effectiveness and improvement.
Optimizing – Practices are continuously improved based on metrics and lessons learned.

By aligning both Practices and Processes with the appropriate Level, organizations demonstrate that cybersecurity is institutionalized, repeatable, and resilient, meeting DoD expectations for certification.

CMMC Maturity Levels Explained

CMMC evaluates Process maturity across five levels, ranging from basic execution of security Practices to fully optimized, proactive cybersecurity:

Level 1 – Performed

Organizations perform the required Practices or controls.
No additional documentation or process assessment is required.
Example: Implement all 17 FAR 52.204-21 Level 1 controls to protect FCI.

Level 2 – Documented

Policies and procedures begin to be formalized and documented for each Domain.
Documentation demonstrates that Practices are implemented in a repeatable, consistent manner.
Certification requires that both documentation and controls are in place and followed.

Level 3 – Managed

Organizations establish, maintain, and resource plans for each Domain.
Plans illustrate how policies, procedures, and Practices are managed across the organization.
Examples include top-level statements of mission, goals, project plans, resourcing, training, and stakeholder involvement.

Level 4 – Reviewed

Policies, procedures, and plans are regularly reviewed for effectiveness.
Organizations must measure the effectiveness of Practices, including defenses against Advanced Persistent Threats (APTs).
Reporting to management is required when controls are ineffective, ensuring the organization adapts to evolving threats.

Level 5 – Optimizing / Proactive

Builds on all prior Levels, with standardized and optimized Processes across all Domains and organizational units.
Focuses on continuous improvement and advanced Practices to proactively counter APTs.
Demonstrates the highest level of organizational maturity in cybersecurity operations.

By achieving the appropriate Maturity Level, organizations demonstrate that their Processes and Practices are institutionalized, repeatable, and resilient, meeting DoD expectations for CMMC certification

Get Ready for CMMC Compliance

NIST 800-171 compliance remains the foundation for preparing for CMMC certification. The best way to ensure a smooth transition to CMMC is to achieve full compliance now.

At RSI Security, we have over 10 years of experience helping businesses comply with complex cybersecurity frameworks. Our team of experts specializes in NIST 800-171 compliance and is preparing to become a Certified Third-Party Assessment Organization (C3PAO) once the program is available.

We consistently help clients achieve 100% pass rates because we focus on practical, actionable compliance strategies tailored to each organization.

Take action now: Contact RSI Security today for a free consultation and discover how to position your company for CMMC compliance and successful DoD contracting.