CMMC controls explained: a complete guide for DoD contractors
CMMC controls are the security practices your organization must implement—and prove—for the CMMC level specified in your DoD contract.
This guide covers:
- How controls map across Levels 1–3
- The 14 NIST 800-171 families most Level 2 contractors implement
- What evidence looks like when controls are truly operating
Related guides:
GIF via GIPHY
Key takeaways
- CMMC does not invent a separate control catalog for Level 2—it assesses NIST SP 800-171.
- Level 1 uses 15 FAR safeguarding practices; Level 3 adds 800-172 enhancements.
- Controls are evaluated as MET, NOT MET, or N/A with documented justification.
- Strong programs map one owner + recurring evidence per practice cluster.
Where CMMC controls come from
| CMMC level | Control source |
|---|---|
| 1 | FAR 52.204-21 (15 practices) |
| 2 | NIST SP 800-171 Rev. 2 (110 requirements) |
| 3 | 800-171 + NIST SP 800-172 enhancements |
CMMC assessments verify implementation of these sources within the authorized assessment scope.
Level 1 controls
Level 1 practices emphasize basic safeguarding for FCI: access limits, user authentication, media handling, visitor escorts, and malware/patch hygiene.
They are fewer in count but still require evidence of operation during self-assessment.
Level 2 control families (800-171)
The 110 requirements roll up into 14 families. High-impact areas for many contractors:
| Family | Why assessors focus here |
|---|---|
| Access Control (AC) | MFA, remote access, least privilege |
| Audit & Accountability (AU) | Central logging, retention, review |
| Configuration Management (CM) | Baselines, ports/services, change control |
| Identification & Authentication (IA) | Password policies, MFA coverage |
| System & Communications Protection (SC) | Encryption, boundary defenses |
| System & Information Integrity (SI) | Patching cadence, AV/EDR |
Use a POA&M for time-bound gaps where policy allows—not as a permanent substitute for MET practices.
Level 3 enhancements (800-172)
800-172 adds enhanced requirements—often around segmentation, monitoring depth, dual authorization, and supply chain protections—for designated high-risk CUI programs.
Only implement enhancements required for your assessment scope and contract.
Evidence assessors expect
| Control theme | Example evidence |
|---|---|
| MFA | IdP configs, enrollment reports |
| Logging | SIEM rules, sample alerts, review tickets |
| Patching | Vuln scan exports, remediation SLAs |
| Training | LMS completions, annual refresh |
| IR | Tabletop notes, incident tickets |
Policies alone are insufficient—assessors sample live systems and tickets.
Map controls in SecureSlate
SecureSlate links practices to policies, tests, and evidence collections for faster assessment prep.
FAQ
How do “practices” relate to “controls”?
In CMMC Level 2 discourse, practices commonly refer to 800-171 requirements—language varies by document; align to NIST IDs in your SSP.
Can cloud providers meet controls for us?
Some controls are inherited—document responsibility splits in SSP and vendor artifacts (SOC reports, FedRAMP packages where applicable).
Disclaimer (legal note)
Control applicability depends on scope and assessor interpretation. Maintain qualified advisory support for edge cases.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
