Cybersecurity Maturity Model Certification (CMMC) Model Overview | Version 2.0

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/14

flashcard set

Earn XP

Description and Tags

Practice flashcards covering the key terms, levels, and domains of the Cybersecurity Maturity Model Certification (CMMC) Version 2.0 based on the official model overview transcript.

Last updated 7:14 PM on 5/6/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

15 Terms

1
New cards

Federal Contract Information (FCI)

Information provided by or generated for the Government under contract not intended for public release.

2
New cards

Controlled Unclassified Information (CUI)

Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding classified information.

3
New cards

Defense Industrial Base (DIB)

A sector of more than 300,000 companies supporting the warfighter through research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems.

4
New cards

CMMC Level 1

A model level focusing on the basic safeguarding of FCI; it includes 17 practices corresponding to the requirements specified in 48 CFR 52.204-21.

5
New cards

CMMC Level 2

A model level focusing on the protection of CUI; it encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2.

6
New cards

CMMC Level 3

A model level based on a subset of NIST SP 800-172 requirements intended to reduce risk from Advanced Persistent Threats (APTs).

7
New cards

CMMC Domains

The 14 groups of security requirements in the CMMC model that align with the families specified in NIST SP 800-171, such as Access Control (AC) and Incident Response (IR).

8
New cards

Least Privilege

The principle of employing minimum necessary access, including for specific security functions and privileged accounts (Practice AC.L2-3.1.5).

9
New cards

Split Tunneling

A practice that prevents remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via other external network resources (Practice SC.L2-3.13.7).

10
New cards

FIPS-validated cryptography

The specific type of cryptography required to protect the confidentiality of CUI according to CMMC practice SC.L2-3.13.11.

11
New cards

Least Functionality

The practice of configuring organizational systems to provide only essential capabilities, restricting or disabling nonessential programs and services (Practice CM.L2-3.4.6).

12
New cards

System Security Plan (SSP)

A document that describes system boundaries, operation environments, implementation of security requirements, and connections to other systems (Practice CA.L2-3.12.4).

13
New cards

Insider Threat Awareness

Security awareness training focused on recognizing and reporting potential indicators of internal risks (Practice AT.L2-3.2.3).

14
New cards

Multifactor Authentication (MFA)

Identification and authentication requirements for local and network access to privileged accounts and network access to non-privileged accounts (Practice IA.L2-3.5.3).

15
New cards

Advanced Persistent Threat (APT)

A specific category of cyber threat that CMMC Level 3 is designed to mitigate.