CMMC is built on NIST 800-171 and organized into 14 domains. Each domain covers a different slice of your security program, creating a broad surface area that many teams underestimate at the start.
Within those domains sit 110 controls. The controls set the requirement, but the real challenge shows up underneath them—every control is unpacked into multiple assessment objectives, each one representing a specific action you must demonstrate.
Within those domains sit 110 controls. The controls set the requirement, but the real challenge shows up underneath them—every control is unpacked into multiple assessment objectives, each one representing a specific action you must demonstrate.
The official FAR clause lists 15 safeguards, but CMMC documentation often references 17 practices. Here is why:
CMMC inherited the DoD’s earlier mapping from the DFARS 252.204-21 “Basic Safeguarding” table, where two of the FAR requirements were split into multiple CMMC practice IDs during modeling. They are not additional requirements—just a structural carryover from the original DoD-to-NIST mapping exercise.