CMMC Version 1.02

As well as the significant economic cost of malicious cyber activity (estimated in excess of $57b per annum), the aggregate loss of controlled unclassified information (CUI) from the Defense Industrial Base (DIB) is a known risk to United States’ national security. In January 2020, the Department of Defense (DoD) therefore introduced a new procedure to certify that around 300,000 defense contractors in its supply chain have adequate cyber security controls in place to protect the DIB’s information.


All contractors and subcontractors that handle federal contract information (FCI) and CUI will be subject to CMMC. Subcontractors may not need to meet the same CMMC Level required by the prime contractor – the DoD will clarify which parts of a contract require which CMMC Levels.

CMMC Levels will be stipulated in DoD requests for information (RFIs) starting in Summer 2020 and vendors must be certified that they have achieved the CMMC Level by the time of award.

The CMMC Model contains 5 Levels:

• Level 1 | Basic Cyber Hygiene (17 security controls)
• Level 2 | Intermediate Cyber Hygiene (46 security controls)
• Level 3 | Good Cyber Hygiene (47 security controls)
• Level 4 | Proactive (26 security controls)
• Level 5 | Advanced / Progressive (4 security controls)

The CMMC model consists of 17 Domains, which in turn consist of a set of processes and security practices across the different Levels. Drawing heavily on existing safeguarding and security requirements, most notably NIST 800-171 which is the basis for 125 out of CMMC’s 171 controls.

Third Party Assessment and Certification

The non-profit Accreditation Body (AB) is responsible for managing, operating and sustaining the CMMC program, including training, evaluating and accrediting Certified Third Party Assessment Organizations (C3PAOs). These C3PAOs will perform independent assessments of contractors’ CMMC implementation and provide audit reports to the AB, which then issues CMMC certification that last for 3 years.

To preserve the time and resources of C3PAOs, defense contractors’ internal audit teams and others providing CMMC assessment services, Titania Nipper’s accurate auditing capability, has been mapped to CMMC controls to automate checks and provide artifacts that evidence compliance within 5 domains:

•Access Controls (AC)
•Audit & Accountability (AU)
•Configuration Management (CM) 
•Risk Management (RM)
•System & Communications Protection (SC)

Nipper also automates some further checks to help you evidence compliance in the following 3 domains:

•Asset Management (AM)
•Identification & Authentication (IA)
•Security Assessment (CA)

Why automate CMMC security practice checks with Titania Nipper?

Titania Nipper is in service with all four arms of the DoD, where it is trusted to automate the configuration audits of core network devices against DISA STIG and CIS benchmarks to prove compliance with Risk Management Frameworks such as DISA RMF, NIST CSF and NIST 800-53/171. Indeed, Nipper’s proven accuracy advantage is estimated to save the DoD up to 3 hours per device not investigating false positives reported by other compliance tools.

As CMMC V1.02 security practice checks build on DISA STIGs, CMMC auditors and assessors are expected to save significant time and resources by automating their compliance checks using Nipper. The software also identifies otherwise-missed false negatives and includes recommendations and specific command line fixes for any issues found, helping to reduce internal teams’ mean time to remediate.

Taking just minutes to set up and generate accurate reports, Nipper automates the line-by-line analysis of your device configuration and operating system data, detecting precise security and compliance risks.


For more information on which of the 32 CMMC controls (across the 8 domains listed above) can be audited using Nipper, download the CMMC Mapping Summary >

Download the CMMC Mapping Summary