Cybersecurity Maturity Model Certification (CMMC) and Controlled Unclassified Information (CUI)

Cybersecurity Maturity Model Certification (CMMC) is the method the US Government uses to audit compliance with NIST SP 800- 171. Various government agencies, including the Department of Defense (DoD) contractors, need to meet these requirements. CMMC replaces the Defense Industrial Base (DIB), which was not widely adopted. 

Conservative estimates reveal up to 300,000 organizations will be in the scope of CMMC. Many of those are not traditional defense contractors. Many potentially impacted organizations are due to third parties’ trickle-down effect that can affect the confidentiality of Controlled Unclassified Information (CUI) where it is stored, transmitted, or processed. 

There are five levels of CMMC, and each has its own specific set of practices that will be in the scope during a CMMC audit. 

CMMC Level 1: 17 controls 

CMMC Level 2: 72 controls (includes the Level 1 controls) 

CMMC Level 3: 130 controls (includes the Level 2 controls) 

CMMC Level 4: 156 controls (includes the Level 3 controls) 

CMMC Level 5: 171 controls (includes the Level 4 controls) 

CMMC Capacity Domains

Access Control (AC) Incident Reponse (IR) Risk Management (RM)
Asset Management (AM) Maintenance (MA) Security Assessment (CA)
Awareness and Training (AT) Media Protection (MP) Situational Awareness (SA)
Audit and Accountability (AU) Personnel Security (PS) System and Communications Protection (SC)
Configuration Management (CM) Physical Protection (PE) System and Information Integrity (SI)
Identification and Authentication (IA) Recovery (RE)

CMMC is not NIST 800-171

NIST 800-171 contains 110 CUI, and 63 Non-Federal Organization (NFO) controls. The NFO controls are included in Appendix E. To become compliant with NIST 800-171, organizations need to comply with both the CUI and NFO controls. 

CMMC only focuses on CUI controls. If NIST 800-171 is required, CMMC does not fulfill the requirement. Organizations that claim NIST 800-171 compliance incorrectly violate the False Claims Act (FCA). CMMC is a third-party validation to the necessary level of compliance.

CMMC requires a third party audit to gain certification. NIST 800-171 is a ‘self-certification.’ 

CMMC mapping to various security standards is available in the References.

CMMC Levels

CMMC levels

Level 1

The 17 controls that makeup CMMC Level 1 directly map to the Federal Acquisition Regulation (FAR) 52.204-21.A CMMC Level 1 audit will cover 15% of the NIST 800-171 controls. Level 1 creates a basic cyber hygiene standard such as using antivirus software and changing passwords regularly. Level 1 may be applied to Federal Contract Information (FCI) which is information not intended for public release.

Level 2 

There are 72 controls that makeup CMMC Level 2. This includes the CMMC Level 1 controls. A CMMC Level 2 audit will cover 65% of the NIST 800-171 controls. Level 2 established an intermediate cyber hygiene standard to protect any CUI.

Level 3 

There are 130 controls that makeup CMMC Level 3, including the CMMC Level 1 and 2 controls. A CMMC Level 3 audit will cover 100% of the NIST 800-171 CUI controls and 21 controls from various sources. Level 3 established a good cyber hygiene standard to protect any CUI. 

Level 4 & 5

There are 156 controls for CMMC Level 4.There are 171 controls for CMMC Level 5.The total number of controls is greater than NIST 800-171. CMMC Level 4 & 5 controls include all the previous Level 1, 2, 3 controls plus controls from other frameworks. 

Level 4 certification must include processes to review and measure the effectiveness of controls as well as establishing practices to detect and respond to changing tactics, techniques, and procedures of Advanced Persistent Threats (APT). An APT is an adversary that possesses sophisticated levels of expertise and significant resources to create multiple attack vectors. 

Level 5 certification must have standard and optimize processes in place across the organization and additional enhanced practices to provide more sophisticated capabilities to detect and respond to APTs.

CMMC Level 4 & 5 organizations also need to meet CMMC C034-P1163 to create, maintain, and leverage a documented security strategy and roadmap. Cybersecurity business plans and strategy will be in scope for the CMMC audit.

NIST 800-171 NFO Controls

The additional NIST 800-171 NFO controls are broken down into four tailoring criteria. There are more than 63 controls listed in the table below because some controls have additional sub-controls. 

SYMBOL Tailoring Criteria # of Appendix E Controls
NCO Not directly related to protecting the confidentiality of CUI 32
FED Uniquely federal, primarily the responsibility of the federal government 14
NFO Expected to be routinely satisfied by nonfederal organizations without specification 16
CUI The CUI basic or derived security requirement is reflected in and is traceable to the security control, control enhancement, or specific elements of the control/enhancement 60

CMMC Domain and Capability & Practice Mapping 

SecureCircle Approach to CMMC & Data Security 

SecureCircle’s persistent data security and frictionless impact on users and applications allow SecureCircle to apply security to broad data segments rather than only securing the most critical data.To accomplish this, SecureCircle enables granular control and permissions for users, admins, groups, devices, applications, and networks. The combination of broad features and granular controls allow organizations to configure SecureCircle to meet security and compliance requirements. 

SecureCircle enables organizations to meet CMMC controls and practices by configuring Circle policies, admin and user roles, network policies, admin and user groups, and integrate with central identity solutions and Syslog aggregation or Security Information and Event Management (SIEM) solutions. 

SecureCircle is a client-server architecture and will function as long as client-server communication is possible. VPN and proxy connections are supported. Offline usage is configurable to balance security and compliance requirements with productivity. There are no limitations to the file size, file type, application, or host operating system. 

Since data is persistently secured, SecureCircle doesn’t need to block data transfer.Any data transfer, including removable devices or third-party cloud solutions, only transfers secured data.Organizations retain control of data regardless of location.

SecureCircle is aware of new applications that are attempting to access secured data in files. Default policies block new applications from accessing secured data. Administrators have full control over which applications can access secured data. Admins can also apply firewall-like inbound and outbound rules to applications. 

Since traditional discovery or classification is not required, customers deploy in days and not months. Finally, SecureCircle removed the operational overhead that typically comes with legacy data loss prevention (DLP) tools. Since all data is secured by default, and security follows the data regardless of location, there is no need to create and maintain complex and error-prone DLP rules.

SecureCircle Direct Mapping 

For each domain (sheet), the first column defines the set of expected capabilities. Each capability is assigned a unique C##. The next five columns break out the five defined levels of CMMC and the associated practices. Each practice is assigned a unique number P1###. Not every capability has practices at every level. However, once a practice is introduced, it applies to the level it is in and and all higher levels.Some levels may have more than one practice per capability.

Below each practice is a bulleted list of references that informed the development of the practice. These sources are not additional requirements for the model and server to provide additional information. Some practices have multiple references. Some practices, particularly those referenced to ‘CMMC’, were developed by the CMMC working team or through collaboration with industry. 

SecureCircle addresses the practices in mulberry (purple) background and white text cells. Practices which SecureCircle does not address have a white background. 

Access Control (AC) mapping is available here. For a detailed mapping of all Capacity Domain & CMMC Controls >> Download SecureCircle CMMC Whitepaper

Access ControlCMMC standard mapping

SecureCircle Mapping

All Level 1, 2, 3 practices are highlighted.  The black background items are those that SecureCircle can help achieve compliance.

SecureCircle Mapping


Compliance is rarely achieved through systems and tools alone. SecureCircle makes no warranty or claims specific compliance requirements can be fulfilled. Consult a compliance officer or external auditor to assess your particular workflow, configuration, process, training, and other factors.

Ready to Get Started?

Secure your source code

Secure Your Source Code

Learn more about how SecureCircle secures Source Code for customers.

Read the Case Study
CMMC icon

Cybersecurity Maturity Model Certification

SecureCircle helps organizations meet over 40 controls and practices to obtain Level 3 certification.

Learn More