What is a Practice in the context of CMMC objectives?

In the context of CMMC objectives, a Practice represents an activity or set of activities designed to achieve specific security outcomes. These Practices are practical implementations that organizations undertake to safeguard their information and demonstrate compliance with the Cybersecurity Maturity Model Certification (CMMC). Each Practice is tied directly to a particular security objective, and they guide organizations on how to achieve various levels of security maturity.

By focusing on actionable items, Practices enable organizations to implement effective cybersecurity measures. This aligns closely with the intent of the CMMC framework, which is to provide a structured approach to enhance cybersecurity across the defense supply chain and beyond. Emphasizing activities rather than theoretical concepts or evaluations allows organizations to actively engage in enhancing their security posture.