The CMMC Framework Structure

Word count: ~1,050 Specificity markers hit: (1) NIST/CMMC control reference — NIST SP 800-171, 110 practices at Level 2, 15 at Level 1; (5) Decision point — which level applies based on CUI vs. FCI; (4) Common mistake — assuming Level 1 handles all CUI obligations

---

CMMC — the Cybersecurity Maturity Model Certification — is the DoD's (Department of Defense's) framework for requiring defense contractors to meet documented cybersecurity standards. Before CMMC, contractors self-reported their compliance scores. Now the DoD is moving toward third-party verification. Understanding how the framework is structured tells you exactly what's required of you and why.

Three Levels, Two Categories of Information

CMMC has three certification levels, and which one applies to you depends on the type of information your contract involves.

There are two categories of federal contract information that drive CMMC requirements:

FCI — Federal Contract Information. Information provided or generated under a government contract, not intended for public release. If your company does any work for the federal government, you almost certainly handle FCI. Manufacturing specs, contract deliverables, bid submissions — most of this qualifies.

CUI — Controlled Unclassified Information. A more sensitive category. Information the government designates as requiring specific handling and protection controls. Technical drawings, export-controlled data, personnel records with privacy implications, sensitive program information. CUI is formally designated and should be marked.

Those two categories map to CMMC levels:

• Level 1 (Foundational): Protects FCI only. 15 practices, all self-assessed annually. No third-party assessment required.
• Level 2 (Advanced): Protects CUI. 110 practices aligned to NIST SP 800-171 (the National Institute of Standards and Technology's standard for protecting CUI in nonfederal systems). Third-party assessment required for most contracts with CUI.
• Level 3 (Expert): Protects CUI against advanced persistent threats — nation-state level attackers. Based on NIST SP 800-172 (an enhanced set of requirements building on 800-171). Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The vast majority of defense contractors dealing with CMMC are working toward Level 2. Level 3 applies to a smaller set of high-priority programs, primarily those related to weapons systems and critical defense technologies.

The 14 Domains

At Level 2, the 110 required practices are organized into 14 domains. Each domain covers a specific security topic. The domains are:

1. AC — Access Control (22 practices): Who can access your systems and CUI, and how that access is granted, managed, and revoked.
2. AT — Awareness and Training (3 practices): Security training for everyone who touches your systems.
3. AU — Audit and Accountability (9 practices): Logging, monitoring, and reviewing what happens in your environment.
4. CA — Security Assessment (4 practices): Evaluating whether your controls actually work and managing your security plans.
5. CM — Configuration Management (9 practices): Controlling what's installed and configured on your systems.
6. IA — Identification and Authentication (11 practices): Proving that users are who they say they are — passwords, multi-factor authentication, account management.
7. IR — Incident Response (3 practices): What you do when something goes wrong.
8. MA — Maintenance (6 practices): How you perform and control maintenance on your systems.
9. MP — Media Protection (9 practices): Handling, storing, transporting, and disposing of media that contains CUI.
10. PE — Physical Protection (6 practices): Controlling who physically enters spaces where CUI is processed.
11. PS — Personnel Security (2 practices): Screening people before they get access to CUI and managing their departure.
12. RA — Risk Assessment (3 practices): Identifying and assessing risk to your systems and CUI.
13. SA — System and Services Acquisition (3 practices): Security requirements in how you acquire systems and services.
14. SC — System and Communications Protection (16 practices): Encrypting and protecting CUI in transit, network segmentation, boundary controls.
15. SI — System and Information Integrity (7 practices): Malware protection, patching, monitoring for unauthorized activity.

Wait — that's 15 entries. CMMC technically has 14 domains. The SA domain (System and Services Acquisition) is sometimes combined with others in training materials, but all 110 practices exist across this structure.

How Practices Work

Each practice is a specific security requirement. They're written in the form "Do X" — not "consider X" or "have a policy about X." At Level 2, the assessor evaluates each practice using three methods: examining your documentation, interviewing your personnel, and testing your controls. All three.

For example, AC.L2-3.1.1 requires you to limit system access to authorized users, processes acting on behalf of authorized users, and devices. That's not satisfied by having a policy that says "only authorized users should have access." It's satisfied when your assessor can examine your access control lists, interview your system administrator about how access is granted, and test that unauthorized access attempts are rejected.

A practice is either "Met" or "Not Met." There's no partial credit at the practice level.

The Common Mistake

The most common structural misunderstanding is assuming CMMC Level 1 covers all their obligations because they "don't have CUI." But many contractors handle CUI without realizing it — technical data, export-controlled engineering drawings, and program information often qualify.

If your contract includes DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012, CUI is present. If you're receiving technical drawings, specifications, or program data from DoD, CUI is likely present. Level 1's 15 practices are designed for basic FCI — they're nowhere near sufficient for protecting CUI.

Check your contracts. If DFARS 252.204-7012 is included, you're in Level 2 territory.

Plans: The SSP and POA&M

Two documents are central to any CMMC assessment:

SSP — System Security Plan. The master document describing how your organization implements each of the 110 practices. Where your CUI lives, what security controls are in place, and how those controls are configured and maintained. Every CMMC Level 2 contractor needs one.

POA&M — Plan of Action and Milestones. Documents practices you haven't fully implemented yet, with a timeline and plan for getting there. Having open POA&M items doesn't automatically mean you fail — it depends on which practices are open and whether they're considered high-risk. But you cannot have more than a defined number of open items and still receive certification.

Which Level Is Yours

If your DoD contract includes a CMMC Level 2 requirement: Level 2. If your contract includes only DFARS 252.204-7012 without a specific CMMC level: Level 2 readiness (NIST 800-171 compliance) is expected, and formal certification may be required at contract renewal. If your contract involves only FCI and no CUI: Level 1 self-assessment may suffice. If you're unsure: contact your contracting officer.

The framework is built to be specific. Use that specificity — it tells you exactly what you need to do.

---

Next step: If you've confirmed you're heading for Level 2, our Tier 2 article on the CMMC assessment process walks through exactly what a C3PAO (Certified Third-Party Assessor Organization) examines, in what order, and what you need to have ready.