CMMC Practice

In CMMC terminology, a practice is a specific cybersecurity activity or capability that your organization must implement. Each practice maps to a security requirement — for example, 'Limit system access to authorized users' is a practice. Practices are organized by domain (like Access Control, Incident Response) and by level (Level 1, 2, or 3).

Each practice has a unique identifier like AC.L2-3.1.1, which tells you the domain (AC = Access Control), the level (L2 = Level 2), and the corresponding NIST requirement number (3.1.1).

Why It Matters

Understanding how practices are structured helps you navigate your compliance checklist. Each practice must be demonstrably implemented — meaning you need evidence, not just a policy on paper.