CMMC is built on "practices," not traditional compliance checkboxes. A CMMC practice is a specific action or set of activities you must perform to protect Controlled Unclassified Information (CUI). This guide explains what practices are, how they differ across CMMC levels, how they're assessed, and how to prioritize implementation.
What Are CMMC Practices?
CMMC practices are the observable, measurable actions your organization must take to achieve and maintain a certain security maturity level. Unlike traditional compliance frameworks that focus on having controls "in place," CMMC assesses whether practices are actually performed, documented, and repeatable.
Example CMMC Practice
Practice AC-1.001: Authorize Access to CUI
To satisfy this practice, you must:
- Define which employees and contractors can access each CUI repository
- Document authorization decisions in a formal access control matrix
- Have authorization approved by a manager or owner
- Implement the authorization in your system (Active Directory, firewall, database, etc.)
- Review and update authorizations quarterly or when roles change
- Maintain records of authorization approvals and reviews
A practice includes policy, procedure, implementation, and evidence. Just having a password policy isn't enough—you must enforce it, document it, and prove it's working.
Practices vs NIST Controls
CMMC practices map to NIST 800-171 and 800-172 controls. The relationship:
- NIST 800-171 Control (Level 2): "Enforce password complexity requirements for system accounts."
- CMMC Practice (Level 2): "Identify, select, and document password policies. Implement complexity requirements. Demonstrate enforcement via logs. Update policies annually."
CMMC practices add maturity requirements. It's not enough to have the control—you must show it's planned, implemented, monitored, and continuously improved.
CMMC Level 1: Foundational Practices (17 Practices)
Level 1 covers basic security hygiene across 6 domains:
Level 1 Practice Distribution
| Domain | Number of Practices | Focus |
|---|---|---|
| Access Control | 3 | User identification, password management |
| Asset Management | 2 | Inventory of hardware and software |
| Data Protection | 2 | Safeguard CUI, secure removal |
| Defense | 2 | Antivirus, firewall, malware defense |
| Incident Response | 2 | Incident detection and reporting |
| Recovery & Resilience | 4 | Backups, system recovery, disaster recovery |
| TOTAL | 17 |
Sample Level 1 Practices
- Enforce strong password complexity (minimum 12 characters, upper/lower/numeric/special)
- Maintain hardware and software inventory
- Enable antivirus and keep it updated
- Conduct annual security awareness training
- Maintain regular backups of critical data
- Detect and report security incidents to DoD
Level 1 Assessment
Self-assessed. No third-party auditor. Your organization documents practices and submits to DoD CISO. Low cost, high organizational responsibility.
CMMC Level 2: Intermediate Practices (110 Practices)
Level 2 expands to all 14 NIST 800-171 control families with documented processes and repeatable procedures.
Level 2 Practice Distribution (NIST 800-171 Map)
| Domain | Practices | Primary Requirements |
|---|---|---|
| Access Control | 22 | User management, least privilege, role-based access |
| Awareness & Training | 3 | Annual security training for all staff |
| Audit & Accountability | 9 | System logging, audit trail protection |
| Configuration Management | 9 | Baselines, change control, security reviews |
| Identification & Authentication | 11 | MFA, password policies, credential management |
| Incident Response | 3 | Incident handling, reporting procedures |
| Maintenance | 6 | System maintenance, remote access controls |
| Media Protection | 9 | Encryption, secure disposal, transport |
| Personnel Security | 2 | Access termination, clearances |
| Physical & Environmental | 6 | Facility access, visitor logs |
| Risk Assessment | 3 | Vulnerability scans, risk analysis |
| Security Assessment | 4 | Security testing, assessments |
| System & Comms Protection | 16 | Encryption, firewalls, boundary protection |
| System & Information Integrity | 7 | Patching, malware protection |
| TOTAL | 110 |
Level 2 Key Characteristics
Level 2 practices require:
- Documented policies and procedures for each practice domain
- Formal implementation with evidence of deployment
- Regular monitoring and review of practice effectiveness
- Evidence documentation for assessor review
- Third-party C3PAO assessment (not self-assessed)
CMMC Level 3: Advanced Practices (171+ Practices)
Level 3 adds 61 practices from NIST SP 800-172 (Advanced and Long-Term Cyber Security Guidance) to Level 2 practices.
Level 3 Additional Controls from NIST 800-172
Level 3 adds advanced practices in these areas:
- Advanced/Persistent Threat Detection: Behavioral analysis, anomaly detection, threat intelligence integration
- Supply Chain Risk Management: Supplier security assessments, third-party risk monitoring
- Continuous Diagnostics and Mitigation (CDM): Real-time security monitoring, automated reporting
- Insider Threat Programs: User activity monitoring, privilege abuse detection
- Cyber Threat Environment Management: Threat intelligence, zero-trust architecture
- Risk-Based Adaptive Cybersecurity: Dynamic security controls based on threat level
Not Sure Which Level You Need?
Use our readiness assessment tool to determine your current maturity and required CMMC level.
Start AssessmentPractice Maturity Levels
Each practice is assessed on a maturity scale:
Ad-Hoc (0)
Practice is not performed or not documented. No formal process. Assessment finding: Not Satisfied.
Documented (1)
Practice has a documented policy, but execution is inconsistent. Some evidence of implementation. Assessment finding: Partially Satisfied.
Implemented (2)
Practice is consistently performed and documented. Evidence of execution available. Assessment finding: Satisfied.
Managed (3)
Practice performance is monitored, measured, and improved. Metrics collected. Assessment finding: Satisfied (Level 2 max).
Optimized (4)
Practice is continuously optimized based on metrics and threat intelligence. Feedback loops in place. Assessment finding: Satisfied (Level 3).
Top 10 Most Challenging CMMC Practices to Implement
High-Difficulty Practices
These practices require significant planning, tooling, and organizational change. Start here for risk reduction.
| Practice | Difficulty | Key Challenge |
|---|---|---|
| SC-28.001 (Encryption at Rest) | High | Requires cryptographic tools, key management, and system redesign |
| CM-3.001 (Formal Change Control) | High | Requires organizational discipline and workflow tools |
| CA-7.001 (Continuous Monitoring) | High | Requires SIEM, automated tools, and 24/7 monitoring capability |
| SI-12.001 (Information System Monitoring) | High | Requires extensive logging, log aggregation, and analysis |
| MA-4.001 (Remote Access Security) | Medium-High | Requires VPN, MFA, and session logging infrastructure |
| AC-5.001 (Separation of Duties) | Medium-High | Requires role redesign and identity governance tools |
| PS-4.001 (Access Termination) | Medium | Requires workflows and cross-system cleanup procedures |
| IA-5.001 (Authentication Mechanisms) | Medium | Requires MFA deployment and strong password enforcement |
| AU-2.001 (Audit Logging) | Medium | Requires log configuration, retention, and centralization |
| MP-7.001 (Media Encryption) | Medium | Requires encryption of all portable devices and USB drives |
Practice Documentation Requirements
For each practice, you must document:
- Policy: Written statement of the organization's intent (e.g., "We encrypt all CUI in transit and at rest")
- Procedure: Step-by-step instructions on how the practice is performed (e.g., encryption tool configuration steps)
- Implementation Evidence: Screenshots, logs, or outputs proving the practice is active (e.g., encryption status reports)
- Assessment Records: Documentation of practice testing or audits (e.g., quarterly encryption audits)
- Approval/Authorization: Sign-off from management that the practice is approved and in effect
How Practices Are Assessed During CMMC Audits
During a CMMC Level 2 or 3 assessment, C3PAO assessors will:
- Review documentation — Examine policies, procedures, and evidence
- Interview staff — Ask employees about practice performance (e.g., "Show me your backup procedure")
- Observe systems — Check system configurations and security tool settings
- Test controls — Perform security tests (e.g., try accessing a system without authorization)
- Verify evidence — Confirm that logs and records support your claims
- Rate maturity — Determine if practices are ad-hoc, documented, implemented, managed, or optimized
Key Assessment Principle: Assessors look for maturity, not just compliance. A practice is "satisfied" only if it's consistently performed, documented, and monitored.
Practice Implementation Order: What to Tackle First
Prioritize implementation by impact and effort:
Phase 1: Foundation (Months 1-3)
High impact, moderate effort. Foundation for all other practices.
- IA-5.001 (Password policies and MFA)
- SC-7.001 (Firewall and boundary protection)
- AU-2.001 (Audit logging)
- AC-1.001 (Access authorization)
Phase 2: Hardening (Months 4-6)
High impact, moderate-high effort. Reduces exploitation risk.
- SC-28.001 (Encryption at rest and in transit)
- SI-2.001 (Patch management)
- CM-3.001 (Change control)
- SI-3.001 (Malware protection)
Phase 3: Monitoring & Detection (Months 7-9)
High impact, high effort. Enables incident response.
- CA-7.001 (Continuous monitoring)
- IR-4.001 (Incident handling)
- AU-12.001 (Audit log review and retention)
Phase 4: Organizational (Months 10-12)
Moderate effort, completes compliance picture.
- AT-1.001 (Security awareness training)
- PS-4.001 (Access termination)
- RA-5.001 (Vulnerability assessments)
- PE-3.001 (Physical access controls)
Frequently Asked Questions
How many practices do I need to "satisfy" for CMMC Level 2?
All 110 practices must be satisfied at the "Implemented" maturity level minimum. No waivers or exceptions are allowed, though some practices may not apply if you don't have certain systems.
Can I implement Level 2 practices and skip Level 1?
No. Level 1 is foundational; Level 2 builds on it. However, if you implement all 110 Level 2 practices, you automatically satisfy Level 1 (since Level 2 includes all Level 1 practices).
What if a practice doesn't apply to my organization?
Some practices may not apply if you lack certain systems. For example, if you don't use wireless networks, wireless security practices may not apply. Document the justification and have your C3PAO assessor agree.
How often should practices be reviewed and updated?
Annually minimum. Many organizations review quarterly. Practices should evolve as threats change and new vulnerabilities emerge. CMMC reassessment every 3 years ensures practices remain current.
Can I use third-party tools to automate practice implementation?
Yes. Tools like SIEM platforms, identity management systems, patch management tools, and configuration management systems can automate many practices. You still need documented procedures and evidence.
What's the difference between a practice and a control?
NIST controls describe "what" needs to be protected. CMMC practices describe "how" to protect it consistently and maturely. Practices add the organizational maturity dimension.