In CMMC, what is essential for an activity to be classified as a Practice?

In the context of CMMC, an activity is classified as a Practice when it supports the meeting of defined objectives. This means that the implementation of these Practices is aligned with the overall goals of securing Controlled Unclassified Information (CUI) and improving the organization's cybersecurity posture.

The focus on defined objectives underscores the practical and functional implications of implementing security measures. Practices are not merely theoretical or abstract ideas; they must be actionable and contribute to achieving specific security outcomes. For instance, a Practice might involve conducting regular security training for staff to ensure that they understand their roles in maintaining the security of sensitive information. By fulfilling such objectives, the Practice demonstrates its relevance and effectiveness within the CMMC framework.

While having a documented policy can be beneficial to provide structure and guidance, it is not a requirement for an activity to be classified as a Practice. Additionally, the approval from external auditors does not determine the classification of an activity as a Practice; rather, it is the alignment with the goals of cybersecurity and compliance that matters most.