Foundations
What is CMMC, key documents, timeline, and scoring.
Welcome
Start Here
Section titled “Start Here”Scoping
110 Requirements
All 14 families — every requirement with assessor questions, evidence checklists, and implementation guidance.
Assessment & Evidence
How Each Requirement Page Works
Section titled “How Each Requirement Page Works”Every requirement page follows the same structure. No cross-referencing four separate documents.
- The One-Liner — instant pass/fail gut check
- What It Actually Means — plain English, no jargon
- Pass or Fail — the assessor’s yes/no checklist with actionable evidence descriptions
- What to Have Ready on Assessment Day — documents, people, live demos
- The Assessor’s Playbook — the actual questions they’ll ask, with a real-world example
- Where Companies Trip Up — named failure patterns with specific fixes
- How to Talk About This — CEO/Board version + Engineering Team version
- Connected Requirements — cross-links to related controls
- Implementation — cloud platform steps (client access)
The 14 Families
Section titled “The 14 Families”| Ref | Family | Reqs |
|---|---|---|
| 3.1 | Access Control | 22 |
| 3.2 | Training & Awareness | 3 |
| 3.3 | Audit & Accountability | 9 |
| 3.4 | Configuration Management | 9 |
| 3.5 | Identity & Authentication | 11 |
| 3.6 | Incident Response | 3 |
| 3.7 | Maintenance | 6 |
| 3.8 | Media Protection | 9 |
| 3.9 | Personnel Security | 2 |
| 3.10 | Physical Security | 6 |
| 3.11 | Risk Assessment | 3 |
| 3.12 | Security Assessment | 4 |
| 3.13 | System & Network Protection | 16 |
| 3.14 | System Integrity | 7 |