CMMC 2.0
Cybersecurity Maturity Model Certification — Defense Industrial Base Cybersecurity Standard
Standard Introduction
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a U.S. Department of Defense program that verifies the cybersecurity practices of defense contractors and subcontractors. The final rule, effective December 2024, establishes three maturity levels to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base.
CMMC 2.0 aligns closely with NIST SP 800-171 requirements and introduces mandatory third-party assessments for contractors handling sensitive CUI. With phased enforcement beginning in November 2025, an estimated 220,000+ defense contractors must achieve the appropriate certification level to remain eligible for DoD contracts.
Three Maturity Levels
Streamlined from five to three levels: Level 1 (Foundational, 17 practices), Level 2 (Advanced, 110 practices aligned with NIST SP 800-171), and Level 3 (Expert, NIST SP 800-172 controls).
Third-Party Assessment
Level 2 requires assessment by Certified Third-Party Assessment Organizations (C3PAOs), while Level 1 allows annual self-assessment. Level 3 requires government-led assessment.
CUI Protection
Specifically designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the Defense Industrial Base supply chain.
list_alt CMMC Domains
- Access Control — limit system access to authorized users
- Identification & Authentication — verify user identities
- Media Protection — protect CUI on digital and physical media
- Physical Protection — limit physical access to systems
- System & Communications Protection — monitor and protect communications
- System & Information Integrity — identify and manage flaws
- Incident Response — establish operational incident handling
- Risk Assessment — identify and evaluate risk to CUI
Who Needs to Comply?
All contractors and subcontractors in the U.S. Defense Industrial Base (DIB) who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of DoD contracts.
Key Requirements
Self-Assessment (Level 1)
Complete an annual self-assessment against 17 basic safeguarding requirements from FAR 52.204-21. Affirm compliance through the Supplier Performance Risk System (SPRS).
NIST SP 800-171 Compliance (Level 2)
Implement all 110 security requirements from NIST SP 800-171 Rev 2. Submit to assessment by a C3PAO and achieve a passing score. Maintain a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
Plans of Action & Milestones
Document any unmet requirements with specific remediation plans, responsible parties, and target completion dates. POA&Ms must be resolved within 180 days of assessment.
Continuous Compliance Affirmation
Senior officials must annually affirm their organization's continued compliance status in SPRS. Certification is valid for three years with annual affirmation required.
Penalties & Enforcement
Contractors that fail to meet required CMMC levels are ineligible for DoD contract awards. False compliance claims expose contractors to liability under the False Claims Act, with penalties of up to three times the government's damages plus per-claim penalties.