<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Tyler Thepsiri

By: Tyler Thepsiri on November 12, 2022

Print/Save as PDF

The CMMC 2.0 Framework: 14 Controls & 3 Certification Levels


Organizations that work as contractors or subcontractors to the Department of Defense (DoD) are required to comply with the NIST 800-171 framework. Cybersecurity Maturity Model Certification (CMMC) 2.0 is the next iteration of this framework

CMMC has been around since 2019. It is designed to protect information shared within the U.S. Defense Industrial Base (DIB) and the contract information necessary to produce the parts, systems, and components needed for national defense. 

In the past few years, CMMC has gone through a transformation

At this point, industry experts expect CMMC 2.0 will be a contractual requirement by 2025 (with indications that it may be operational to some degree as soon as 2023). 

If you are having trouble keeping track of the 14 control families outlined in CMMC 2.0, you are not alone. 

In this article, we’ll walk through the control families and define the certification levels, so that you’ll have a better understanding of the the requirements and can confidently discuss and implement what’s required. 

Why Is CMMC Important? 

The main goal of CMMC is to validate the safeguards and practices that ensure basic cyber hygiene and the protection of federal contract information (FCI) and controlled unclassified information (CUI), within the supplier and partner networks of the DIB.

This infographic from the National Archives CUI program blog provides a clear way to think about FCI and CUI and how they differ from public information

What Makes CMMC 2.0 Different? 

Unlike previous versions CMMC 2.0 has just three certification levels: foundational, advanced, and expert. The level of certification required by a contract will depend on the type of information the contractor or subcontractor accesses

Want to know more? Check out this article which includes everything we know so far about CMMC 2.0 certification.

What Are The 14 CMMC 2.0 Control Families?

The control families identified in CMMC mirror those outlined in NIST 800-171. They are:

1. Access Control (AC)

What It Means: 

Establish system access requirements. Control internal system access. Control remote system access. Limit data access to authorized users and processes.

2. Audit and Accountability (AU)

What It Means: 

Define audit requirements. Perform audits. Identify and protect audit information. Review and manage audit logs.

3. Awareness and Training (AT) 

What It Means: 

Conduct security awareness and training activities.

4. Configuration Management (CM) 

What It Means: 

Establish configuration baselines. Perform configuration and change management.

5. Identification and Authentication (IA) 

What It Means: 

Grant access to authenticated entities.

6. Incident Response (IR) 

What It Means: 

Plan incident response. Detect and report events. Develop and implement a response to a declared incident. Perform post-incident reviews. Test incident response.

7. Maintenance (MA)

What It Means:  

Manage maintenance.

8. Media Protection (MP) 

What It Means: 

Identify and mark media. Protect and control media. Sanitize media. Protect media during transport.

9. Personnel Security (PS) 

What It Means: 

Screen personnel. Protect CUI during personnel actions.

10. Physical Protection (PE)

What It Means: 

Limit physical access.

11. Risk Management (RM)

What It Means: 

Identify, evaluate, and manage risk. Manage supply chain risk.

12. Security Assessment (CA) 

What It Means: 

Develop and manage a system security plan. Define and manage controls. Perform code reviews.

13. Systems and Communications Protection (SC)

What It Means:

Define security requirements for systems and communications.

14. System and Information Integrity (SI)

What It Means: 

Identify and manage information systems flaws. Identify malicious content. Perform network and system monitoring. Implement advanced email protections.

Each of these areas is further defined by controls that describe processes or practices against which your company will be evaluated. 

While only a few of these areas are relevant to Level 1, they are all relevant to Levels 2 and 3. Each level of certification builds upon the prior and represents increased levels of cybersecurity compliance and potential capability with more total controls across domains required for certification at Levels 2 and 3.

Related article: Why Is It Important To Prepare Now For CMMC 2.0?

Where Do You Go From Here? 

This article outlines the 14 control families of CMMC 2.0. You now have a better understanding of the framework and what is required. 

Some organizations have in-house resources that can take a leadership role in preparing for compliance to the CMMC 2.0 framework. Others may need to lean on external resources for help. 

No matter your situation, I encourage you to begin taking steps forward, as it will put your organization in a better position to navigate the requirements before they are included in your contracts

And, even if you don’t have contractual requirements, the framework outlined in CMMC 2.0 will enhance your overall cybersecurity efforts and help keep your organization and data safe. 

Not sure where to start with CMMC 2.0? Click on the button below and download the checklist to learn 5 actions you can take today to prepare to meet the CMMC 2.0 requirements

5 Steps To Take Now To Prepare For CMMC Compliance

If you are looking for an external provider, we encourage you to check out several providers to ensure that you get the right fit for your organization. No matter how you choose to proceed, take action today so your organization is protected from cybercrime and prepared when CMMC 2.0 is rolled out.

We believe so strongly in the importance of evaluating several providers that we’ve already done some of the legwork for you. Read this honest comparison of Walker vs. Kelser to see how we stack up against one of our competitors.

Kelser offers managed IT support offerings that help customers meet compliance and regulatory requirements. But, we know that managed IT isn’t right for every organization. That’s why we are committed to providing educational articles like this one that explain important IT subjects business leaders like you need to know

If you are curious, check out this article to find out what managed it is, what it includes and how much it costs

We often get asked what size companies are a good fit for managed it, so we address that question first hand. 

If you are further along in your investigation of managed IT and prefer to talk with a person, click on the link below, fill out the form, and one of our IT experts will get in touch within 24 hours (often much sooner). 

Talk with a Human


About Tyler Thepsiri

With more than 10 years in the IT industry, Tyler is able to adapt quickly to almost any technological issue. He understands how systems should work, and specializes in security and compliance.

Suggested Posts

Visit Our Learning Center