The Best Way to Use CMMC Assessment Guides

Posted on July 30, 2021 by Jonathan Coronado

The Best Way to Use CMMC Assessment Guides

The Best Way to Use CMMC Assessment Guides

CMMC is a certification program to improve supply-chain security in the Defense Industrial Base (DIB). Eventually, the DoD will require that all DIB companies be certified at one of the five CMMC levels, which include both technical security controls and maturity processes laid out in the Cybersecurity Maturity Model framework.

The Cybersecurity Maturity Model Certification (CMMC) program is offered by the Department of Defense to ensure contractors can be trusted with sensitive data. To receive certification, third-party assessors must verify that a company has succeeded in meeting the technical and maturity requirements set out by DoD. The Department of Defense (DOD) has two CMMC model assessment guides that are fundamental to evaluating compliance with the CMMC framework. This blog post is intended for DoD contractors looking for additional clarification as they prepare for a CMMC assessment. The CMMC will teach you about the assessment guides, provide basic CMMC concepts and definitions, and introduce alternate names for some practices. The CMMC certification strives to give those who are unfamiliar with cybersecurity standards a better understanding of what the criteria means and how they may affect their business.

The Defense Information Systems Agency released the CMMC Assessment Guide Level 1 and Level 3 in November 2020. These are the documents that define what is required for certification under the Cybersecurity Maturity Model framework. Contractors should use the guides to prepare for certification, which assesses both technical security and maturity processes.

Level 2 is considered a transitional level in the certification. Though it's recognized as a milestone for progress from Level 1 to Level 3, CMMC is not yet required in DoD contracts. The certification defines requirements only up to Level 4 and Level 5, but these assessment guides have not been published yet.

"Which level are you required to achieve? It all depends on what type of data your DoD contract requires you to use."

3 Data Types That Determine CMMC Level

Public Information - No CMMC Certification Required

Organizations may not need to arrange a CMMC if their public information is already publicly available. If you work solely with public information in your DoD contract, you do not need CMMC certification. Public information is data identified as "Public Release Approved" or something similar, or it's unmarked information available from an uncontrolled, publicly available government source.

Federal Contract Information (FCI) - CMMC Level 1 Certification Likely

Classified federal contract information (FCI) is key data not for public release. Typically, CMMC is indicated in a document's marking or determined in an agreement. FCI does not require any additional accounting data than what is already produced through invoices and transactions. If you are required to submit data under the Financial Crimes Investigation (FCI) program, then Level 1 CMMC accreditation is enough which includes 17 cyber security practices.

Controlled Unclassified Information (CUI) - At Least CMMC Level 3 Certification Required

Controlled unclassified information (CUI) is FCI that comes with additional guidance in the form of special handling or safeguarding controls. Companies must clearly mark their physical and virtual assets as a Certified Unclassified Information (CUI). Additional guidance can be found in National Institute of Standards and Technology (NIST) Special Publication 800-171 or NIST SP 800. If your organization has dealings with the DoD and does business related to Government Controlled Unclassified Information, you need to be CMMC Level 3 certified as of October 31, 2016 in order to continue conducting such business. This includes compliance with all 133 practices and processes set out by CMMC Level 1, CMMC Level 2 and CMMC Level 3:

  • 17 Level 1 practices
  • 55 Level 2 practices
  • 2 Level 2 process-maturity requirements
  • 58 Level 3 practices
  • 1 Level 3 process-maturity requirement

These are definitions and guidelines, but the Department of Defense's contracting officer has the final say about your CMMC certification and how you should handle any data related to your contract.

The CMMC certification involves a set of practices and processes outlined by the Cybersecurity Maturity Model framework. The assessment guide opens with sections that establish a baseline, before diving into more detail about each practice.

The assessment guide discusses the data types included in this experience, the intended audience for the document, and how it is organized.

The Assessment and Certification section touchs on two important ideas. The first is that CMMC requirements are intended to apply to all contract organizations, regardless of size, constraints, or complexity. The other idea is assessment scope.As the assessment guide mentions but defers, CMMC is an international standard aimed at improving supply-chain security. Watch out for the definition of scoping as it is amended and published in future versions of assessment guides. To get an understanding of the scope for your assessment, it is crucial that you first understand the CMMC Framework and goals.

Now that we have identified the CMMC, it is time to think about how this certification will affect your company and where you should start.

The formal definition of CMMC is still being developed, but it includes both technical defenses and maturity processes set out in the Cybersecurity Maturity Model framework. Create a network diagram that identifies where FCI or CUI data is processed, transported, or stored. To identify our boundaries for assessment purposes, please draw a network perimeter boundary to show where your company's devices are located. Document the boundaries of your organization to share as part of discussions with your CMMC assessor. Make sure you examine these aspects to stay on target when conducting an assessment. It is important to only include necessary, assets, and locations in the assessment.

The Assessment Criteria and Methodology

Risks associated with supply chain security are evaluated according to the assessment criteria and methodology prescribed by CMMC. CMMC defines the assessment objects needed to verify implementation of practices. These include specifications, methods, individuals and activities.

These are the documents you will need:

Be prepared to demonstrate each practice with one or more of the three specified methods: interview, examination, and testing. Determine what kind of documentation, screenshots, reports or outputs will help provide evidence to show that you are in compliance with assessment objectives. One way to show the assessor that you have implemented these practices is to tell them about it, but often this will not be enough. We also recommend that assessors watch a process live, if possible.

The CMMC Practice and Process Descriptions

ChatFortress provides a guidelines that describe the CMMC practices and processes (link to This section of the guides provides detailed instructions for assessing each CMMC practice, which is outside of what the model document covers. The CMMC provides the identifier and statement, assessment objectives, potential assessment methods and objectives, discussion and examples, and key references.

CMMC Assessment Guide

Let's dig into the details.

This section explains the different practices required to implement a security program. The information in these guides are written for CMMC-specific notation and with a lot of material from technical cybersecurity. To illustrate, let's look at Access Control, the first practice in Domains 1. In the Level 1 Assessment Guide, find the section "Access Control (AC), Level 1 AC Practices" then follow along.


The practice identifier has three components separated by dots:

  • two uppercase letters: the domain (there are 17)
  • single-digit number: the CMMC level this practice is assigned to
  • three-digit number: the unique number of the practice throughout the model

Those three-digit identifiers aren't always consecutive within a domain, and they sometimes make big jumps from one domain to the next. But don't worry: you can still use the three-digit number to identify any practice.

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information system)

Following the practice identifier is the practice description: a sentence or two that concisely and formally defines the goal of the practice. Of the 130 practices in CMMC Levels 1-3, 110 come from NIST 800-171. Their practice descriptions come word-for-word from the NIST 800-171 standard. An additional 20 practices, also known as "delta practices," and 3 processes were developed for the CMMC.


Determine if:

[a] authorized users are identified;

[b] process acting on behalf of authorized users are identified;

[c] devices (and other system) authorized to connect to the system are identified;

[d] system access is limited to authorized users;

[e] system access is limited to process acting on behalf of authorized users; and

[f] system access is limited to authorized devices (including other system).

The assessment objectives are taken straight from NIST 800-171A. For the 23 practices and processes original to the CMMC, the Assessment Objectives section headers are followed by "[CMMC]."

The Assessment Objectives section spells out what an assessor will be looking at for a specific practice. The objectives are formatted as a list of outcomes identified by a bracketed lowercase letter used as reference in a later section of the practice description. The number of assessment objectives per practice varies from 1 to 10. All the objectives listed for a practice must be demonstrated to the assessor's satisfaction to pass that practice.



[SELECT FROM: Access control policy; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of active system accounts and the name of the individual associated with each account; notifications or records of recently transferred, separated, or terminated employees; list of conditions for group and role membership; list of recently disabled system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; system monitoring records; system audit logs and records; list of devices and systems authorized to connect to organizational systems; other relevant documents or records].


[SELECT FROM: Personnel with account management responsibilities; system or network administrators; personnel with information security responsibilities].

Test [SELECT FROM: Organizational processes for managing system accounts; mechanisms for implementing account management].


Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses [sic] non-privileged) are addressed in requirement 3.1.2 (AC.1.002).


Identify users, processes, and devices that are allowed to use company computers and can log on to the company network [a]. Automated updates and other automatic processes should be associated with the user who initiated (authorized) the process [b]. Limit the devices (e.g., printers) that can be accessed by company computers [c]. Set up your system so that only authorized users, processes, and devices can access the company network [d,e,f]. This practice, AC.1.001, controls system access based on user, process or device identity. AC.1.001 leverages IA.1.076, which provides a vetted and trusted identity for access control required by AC.1.001.

Example 1

Your company maintains a list of all personnel authorized to use company information systems [a]. This list is used to support identification and authentication activities conducted by IT when authorizing access to systems [a,d].

Example 2

A coworker wants to buy a new multi-function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network and will prevent network access by unauthorized systems and devices [c]. You help the coworker submit a ticket that asks for the printer to be granted access to the network and appropriate leadership approves the device [f]. Potential Assessment Considerations • Is a list of authorized users maintained that defines their identities and roles [a]? • Are account requests authorized before system access is granted [d,e,f]?4

The Potential Assessment Considerations section includes questions that may help an assessor determine whether an organization has met the assessment objectives. The assessment objectives are also referenced in brackets for clarity, and this information doesn't prescribe a specific implementation or include all the assessment objectives.

Below are six examples of CMMC practices paired with a rephrasing intended to provide some additional clarification and explanation.

You can find all of the 133 Level 1-3 practices and processes in this separate document (link to CMMC requirements).

Identification and Authentication (IA)

Practice IA.3.083

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

In other words, require users to prove they are who they say they are using more than one technique: something you know (e.g., password), something you have (e.g., token), something you are (e.g., fingerprint).


Practice RE.2.138

Protect the confidentiality of backup CUI at storage locations.

In other words, make sure the copies of the systems and datas you create cannot be deleted or tampered with.

System and Communications Protection (SC)

Practice SC.1.175

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

In other words, use available tools to create a protected barrier around your network and to separate internal portions of your network from each other.

Practice SC.3.177

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

In other words, use NIST-approved cryptography to secure your sensitive data.

Practice SC.3.183

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

In other words, block all incoming traffic, then allow traffic only after you are sure it is necessary to complete your mission.

Practice SC.3.184

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

To avoid the risk of malicious login on your VPN, only grant remote user systems access while they’re either online or offline. This practice will help prevent an attacker from another network from "passing through" your user's system to attack your network.

You can also check our CMMC self Assessment blog post 

Are you worried that your company is vulnerable to ransomware?

The Business Cybersecurity System protects you against real-world threats while building your cybersecurity culture. Using the latest in breach and attack simulation our team can show you which ransomware and malware attacks would cripple your company regardless of the cybersecurity protections you already have in place!

Cybersecurity Resources

Talk to Us

Reduce your cybersecurity risk and exposure. Schedule time with your ChatFortress Specialist now
or Call 307-999-7755

Cybersecurity Education Links

Common Cybersecurity Mistakes and how you can protect yourself and your business from liability and financial loss! Instant Webinar Access!

Schedule Your Free Cybersecurity Risk Assessment Click Here to Schedule Call

Discover current hacker trends to steal your data and how you can protect yourself in 7 day FREE Email Cybersecurity crash course

Here are the 8 common types of email phishing attacks that hackers use to steal your identity. Are you protected?

Protect your business from hackersCrash Coursesmall business cybersecurity protectionHackerssmall business cybersecurity protection8typesofemailphishingscamssmall business cybersecurity protectionCMMC Compliance Check ListCybersecurity For Business