§ 170.14 — Cmmc Model

(a) Overview. The CMMC Model incorporates the security requirements from:

(1) 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;

(2) NIST SP 800-171 R2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (incorporated by reference, see § 170.2); and

(3) Selected security requirements from NIST SP 800-172 Feb2021, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (incorporated by reference, see § 170.2).

(b) CMMC domains. The CMMC Model consists of domains that map to the Security Requirement Families defined in NIST SP 800-171 R2 (incorporated by reference, see § 170.2).

(c) CMMC level requirements. CMMC Levels 1-3 utilize the safeguarding requirements and security requirements specified in 48 CFR 52.204-21 (for Level 1), NIST SP 800-171 R2 (incorporated by reference, see § 170.2) (for Level 2), and selected security requirements from NIST SP 800-172 Feb2021 (incorporated by reference, see § 170.2) (for Level 3). This paragraph discusses the numbering scheme and the security requirements for each level.

(1) Numbering. Each security requirement has an identification number in the format—DD.L#-REQ—where:

(i) DD is the two-letter domain abbreviation;

(ii) L# is the CMMC level number; and

(iii) REQ is the 48 CFR 52.204-21 paragraph number, NIST SP 800-171 R2 requirement number, or NIST SP 800-172 Feb2021 requirement number.

(2) CMMC Level 1 security requirements. The security requirements in CMMC Level 1 are those set forth in 48 CFR 52.204-21(b)(1)(i) through (xv).

(3) CMMC Level 2 security requirements. The security requirements in CMMC Level 2 are identical to the requirements in NIST SP 800-171 R2.

(4) CMMC Level 3 security requirements. The security requirements in CMMC Level 3 are selected from NIST SP 800-172 Feb2021, and where applicable, Organization-Defined Parameters (ODPs) are assigned. Table 1 to this paragraph identifies the selected requirements and applicable ODPs that represent the CMMC Level 3 security requirements. ODPs for the NIST SP 800-172 Feb2021 requirements are italicized, where applicable:

Table 1 to § 170.14(c)(4)

(d) Implementation. Assessment of security requirements is prescribed by NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800-172A Mar2022 (incorporated by reference, see § 170.2). Descriptive text in these documents support OSA implementation of the security requirements and use the terms organization-defined and periodically. Except where referring to Organization-Defined Parameters (ODPs), organization-defined means as determined by the OSA. Periodically means occurring at regular intervals. As used in many requirements within CMMC, the interval length is organization-defined to provided contractor flexibility, with an interval length of no more than one year.