CMMC 2.13
CMMC Practices
The Cybersecurity Maturity Model Certification, practice by practice — each one cross-referenced to the NIST controls that support it.
By level
All 149 practices →Level 1 · Foundational
15practices
Basic safeguarding of Federal Contract Information (FCI).
Browse Level 1Level 2 · Advanced
110practices
Protecting Controlled Unclassified Information (CUI); aligned to NIST SP 800-171.
Browse Level 2Level 3 · Expert
24practices
Reducing risk from advanced persistent threats; adds NIST SP 800-172 requirements.
Browse Level 3By domain
ACAccess Control28ATAwareness & Training5AUAudit & Accountability9CMConfiguration Management12IAIdentification & Authentication15IRIncident Response5MAMaintenance6MPMedia Protection10PSPersonnel Security3PEPhysical Protection8RARisk Assessment10CASecurity Assessment5SCSystem & Communications Protection19SISystem & Information Integrity14
Supporting standards
CMMC practices are cross-referenced to NIST SP 800-171, 800-172, and 800-53 — the standards they’re built on. Browse the reference standards →