Skip to content
LexBuild

32 CFR § 170.14 - Cmmc Model. 

---
identifier: "/us/cfr/t32/s170.14"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "32 CFR § 170.14 - CMMC Model."
title_number: 32
title_name: "National Defense"
section_number: "170.14"
section_name: "CMMC Model."
chapter_name: "OFFICE OF THE SECRETARY OF DEFENSE"
subchapter_number: "G"
subchapter_name: "DEFENSE CONTRACTING"
part_number: "170"
part_name: "CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM"
positive_law: false
currency: "2026-04-05"
last_updated: "2026-04-05"
format_version: "1.1.0"
generator: "[email protected]"
authority: "5 U.S.C. 301; Sec. 1648, Pub. L. 116-92, 133 Stat. 1198."
regulatory_source: "89 FR 83214, Oct. 15, 2024, unless otherwise noted."
cfr_part: "170"
---

# 170.14 CMMC Model.

(a) *Overview.* The CMMC Model incorporates the security requirements from:

(1) 48 CFR 52.204-21, *Basic Safeguarding of Covered Contractor Information Systems;*

(2) NIST SP 800-171 R2, *Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations* (incorporated by reference, see § 170.2); and

(3) Selected security requirements from NIST SP 800-172 Feb2021, *Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171* (incorporated by reference, see § 170.2).

(b) *CMMC domains.* The CMMC Model consists of domains that map to the Security Requirement Families defined in NIST SP 800-171 R2 (incorporated by reference, see § 170.2).

(c) *CMMC level requirements.* CMMC Levels 1-3 utilize the safeguarding requirements and security requirements specified in 48 CFR 52.204-21 (for Level 1), NIST SP 800-171 R2 (incorporated by reference, see § 170.2) (for Level 2), and selected security requirements from NIST SP 800-172 Feb2021 (incorporated by reference, see § 170.2) (for Level 3). This paragraph discusses the numbering scheme and the security requirements for each level.

(1) *Numbering.* Each security requirement has an identification number in the format—DD.L#-REQ—where:

(i) DD is the two-letter domain abbreviation;

(ii) L# is the CMMC level number; and

(iii) REQ is the 48 CFR 52.204-21 paragraph number, NIST SP 800-171 R2 requirement number, or NIST SP 800-172 Feb2021 requirement number.

(2) *CMMC Level 1 security requirements.* The security requirements in CMMC Level 1 are those set forth in 48 CFR 52.204-21(b)(1)(i) through (xv).

(3) *CMMC Level 2 security requirements.* The security requirements in CMMC Level 2 are identical to the requirements in NIST SP 800-171 R2.

(4) *CMMC Level 3 security requirements.* The security requirements in CMMC Level 3 are selected from NIST SP 800-172 Feb2021, and where applicable, Organization-Defined Parameters (ODPs) are assigned. Table 1 to this paragraph identifies the selected requirements and applicable ODPs that represent the CMMC Level 3 security requirements. ODPs for the NIST SP 800-172 Feb2021 requirements are italicized, where applicable:

Table 1 to § 170.14(**c**)(4)

| Security requirement No.* | CMMC Level 3 security requirements(selected NIST SP 800-172 Feb2021 security requirement with DoD ODPs italicized) |
| --- | --- |
| (i) AC.L3-3.1.2e | Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization. |
| (ii) AC.L3-3.1.3e | Employ  to control information flows between security domains on connected systems. |
| (iii) AT.L3-3.2.1e | Provide awareness training  focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training  or when there are significant changes to the threat. |
| (iv) AT.L3-3.2.2e | Include practical exercises in awareness training for  that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors. |
| (v) CM.L3-3.4.1e | Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components. |
| (vi) CM.L3-3.4.2e | Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection,  to facilitate patching, re-configuration, or other mitigations. |
| (vii) CM.L3-3.4.3e | Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components. |
| (viii) IA.L3-3.5.1e | Identify and authenticate  before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant. |
| (ix) IA.L3-3.5.3e | Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile. |
| (x) IR.L3-3.6.1e | Establish and maintain a security operations center capability that operates |
| (xi) IR.L3-3.6.2e | Establish and maintain a cyber-incident response team that can be deployed by the organization within |
| (xii) PS.L3-3.9.2e | Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI. |
| (xiii) RA.L3-3.11.1e | Employ  as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities. |
| (xiv) RA.L3-3.11.2e | Conduct cyber threat hunting activities  to search for indicators of compromise in  and detect, track, and disrupt threats that evade existing controls. |
| (xv) RA.L3-3.11.3e | Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components. |
| (xvi) RA.L3-3.11.4e | Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination. |
| (xvii) RA.L3-3.11.5e | Assess the effectiveness of security solutions  to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence. |
| (xviii) RA.L3-3.11.6e | Assess, respond to, and monitor supply chain risks associated with organizational systems and system components. |
| (xix) RA.L3-3.11.7e | Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan |
| (xx) CA.L3-3.12.1e | Conduct penetration testing  leveraging automated scanning tools and ad hoc tests using subject matter experts. |
| (xxi) SC.L3-3.13.4e | Employ  in organizational systems and system components. |
| (xxii) SI.L3-3.14.1e | Verify the integrity of  using root of trust mechanisms or cryptographic signatures. |
| (xxiii) SI.L3-3.14.3e | Ensure that  are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks. |
| (xxiv) SI.L3-3.14.6e | Use threat indicator information and effective mitigations obtained from,  to guide and inform intrusion detection and threat hunting. |
| * Roman numerals in parentheses before the Security Requirement are for numbering purposes only. The numerals are not part of the naming convention for the requirement. |  |

(d) *Implementation.* Assessment of security requirements is prescribed by NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800-172A Mar2022 (incorporated by reference, see § 170.2). Descriptive text in these documents support OSA implementation of the security requirements and use the terms organization-defined and periodically. Except where referring to Organization-Defined Parameters (ODPs), organization-defined means as determined by the OSA. Periodically means occurring at regular intervals. As used in many requirements within CMMC, the interval length is organization-defined to provided contractor flexibility, with an interval length of no more than one year.