How Many CMMC Controls Are There? 

If you are looking into the process of becoming CMMC compliant, you are probably wondering how many CMMC controls you need to comply with. Keep reading to discover the answer and learn more about CMMC. 

CMMC: The Basics

The Cybersecurity Maturity Model Certification is a cybersecurity framework designed by the Department of Defense (DoD) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) throughout the Defense Industrial Base (or DIB). 

Defense contractors and subcontractors are required to comply with the appropriate CMMC level as a condition of contract award 

CMMC is divided into three progressive levels as follows: 

1. Level 1 (Foundational): Addresses the protection of Federal Contract Information (FCI) 
2. Level 2 (Advanced): Addresses the protection of Controlled Unclassified Information (CUI) 
3. Level 3 (Expert): Details will be released by DoD at a later date. 

How Many CMMC Controls Are There?

This is a reasonable question, given that, if you are looking to achieve CMMC compliance, one of the first things you want to know is how many requirements you need to meet. 

However, the answer will vary depending on the CMMC level you want to attain. 

As we saw earlier, CMMC levels are progressive. This means that the higher the certification level you aim for, the more security controls you need to implement. 

Here’s a breakdown of the number of controls (the technical term is “practices”) per CMMC level: 

1. Level 1: 17 practices  
2. Level 2: 110 practices aligned with NIST SP 800-171 (17 Level 1 practices + 93 practices) 
3. Level 3: 110+ practices based on a subset of NIST SP 800-172 requirements (precise number of practices to be determined)

Contact our CMMC Registered Practitioners Today

CMMC practices are distributed across the following 14 families: 

1. Access Control (AC) – Level 1 practices: 4; Level 2 practices: 18  
2. Awareness and Training (AT) – Level 2 practices: 3 
3. Audit and Accountability (AU) – Level 2 practices: 9  
4. Configuration Management (CM) – Level 2 practices: 9  
5. Identification and Authentication (IA) – Level 1 practices: 2; Level 2 practices: 9  
6. Incident Response (IR) – Level 2 practices: 3 
7. Maintenance (MA) – Level 2 practices: 6  
8. Media Protection (MP) – Level 1 practices: 1; Level 2 practices: 8 
9. Personnel Security (PS) – Level 2 practices: 2  
10. Physical Protection (PE) – Level 1 practices: 4; Level 2 practices: 2  
11. Risk Assessment (RA) – Level 2 practices: 3  
12. Security Assessment (CA) – Level 2 practices: 4  
13. System and Communications Protection (SC) – Level 1 practices: 2; Level 2 practices: 14  
14. System and Information Integrity (SI) – Level 1 practices: 4; Level 2 practices: 3  

How To Demonstrate Compliance With  CMMC Practices?

Once you know the number of practices you need to implement, the next step is to understand how to demonstrate compliance. 

Here the answer will depend on the CMMC level you intend to obtain. Compliance with the 17 practices of CMMC Level 1 can be demonstrated through annual self-assessments. For CMMC Level 2, however, you need to pass a third-party assessment. As for Level 3, triennial assessments carried out by government officials are required.  

In CMMC Level 2, third-party assessments are performed by Certified Assessors who use three methods to establish whether you are observing all the required practices: 

1. Interviews. Interviews of applicable staff determine if CMMC practices are implemented as well as if adequate resourcing, training, and planning have occurred for individuals to perform the practices. 
2. Examinations. This includes reviewing, inspecting, observing, studying, or analyzing assessment objects such as documents, mechanisms, or activities. 
3. Tests. Demonstration that provides evidence that a CMMC practice is met. 

Need To Achieve CMMC Compliance? We Are Here To Help

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts. 

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions. 

Contact our CMMC Registered Practitioners today by clicking here. 

Brea Networks, LLC / CMMCCompliance.us 

451 W. Lambert Rd Suite 214 

Brea, CA 92821 

Tel: (714) 592-0063