How Many CMMC Controls Are There?

Your company is one of the estimated three thousand companies in the defense supply chain that must be CMMC certified. The question now is, which level certificate do you need to qualify for the defense contract? And the all daunting question, what does this level entail? 

There are five levels in the Cybersecurity Maturity Module Certification (CMMC). Each has its own controls requirements that need to be met. Let’s break it down:

CMMC Level 1

CMMC level 1 has 17 controls. Although it has two more controls than FAR52.204-21, CMMC does comply with all 15 FAR controls under the scope of NIST 800-717. The seventeen controls are:

  1. Access control
  2. Asset management
  3. Audit and accountability
  4. Awareness and training
  5. Configuration management
  6. Identification and configuration
  7. Incident response
  8. Maintenance
  9. Media protection
  10. Personal security
  11. Physical protection
  12. Recovery
  13. Risk management
  14. Security assessment
  15. Situational awareness
  16. System and communications protection
  17. System and information integrity 

CMMC Level 2

CMMC level 2 has 72 controls, which is the 17 controls from level 1, with another 55 controls added in level 2. 48 of the 55 are part of NIST 800-717. The remaining seven controls come from various sources.

CMC Level 3

CMC Level 3 has a whopping 130 controls. The 130 controls include the 72 controls from levels 1 and 2 as well as 45 parts of NIST 800-717. The 13 controls which aren’t part of the NIST 800-717 come from different other sources.

CMC Level 4 and 5

CMC Level 4 has 156 controls, and CMC Level 5 has 171 controls. Because the NIST 800-717 only has 110 controls, the remaining controls needed to accumulate the required controls for levels 4 and 5 come from a variety of other sources:

  • CIS CSC 7.1
  • NIST 800-171B
  • CERT RMM v1.2
  • ISO 27002
  • NIST 800-53

What CMC Level Do Your Company Need? 

 Not all companies need to comply with all five levels. The easiest way to figure out is by asking two questions:

  1. Will Controlled Unclassified Information (CUI) be received, processed, and created by your organization?
  2. Will HVA (High-Value Assets) CUI be handled by your organization? 

If you answer no to both questions, you will require Level 1 and (depending on the stipulation of the DoD contract) Level 2.

If you only answer yes to question 2, you will require Level 3 and above (depending on the stipulation of the DoD contract).

But if you answer yes to both questions, you will require Level 4 and above.

CMMC Audit 

During a CMMC audit, your organization will be required to submit a documented security strategy and roadmap demonstrating how it is improving its cybersecurity practices. 

  • 15% of the NIST 800-171 CUI controls will be covered when doing the CMMC level 1 audit.
  • 59% of the NIST 800-171 CUI controls will be covered when doing the CMMC level 1 audit.
  • 100% of the NIST 800-171 CUI controls will be covered with the additional 20 controls from various sources when doing the CMMC level 1 audit.

Drastic measures and actions had to be taken to learn from past tragedies. A $600 billion economic loss due to Cybercrime in 2016 is a history lesson no one wants to repeat. Although just the sheer amount of controls required may look overwhelming, it is advisable to seek outside professional help. You can obtain a CMMC consultant in San Antonio, Detroit, Malibu, or any other place in the country to lessen the burden of getting the required controls for the CMC level you need.