標準簡介
網路安全成熟度模型認證(CMMC)2.0 是美國國防部的一項計畫,用於驗證國防承包商和分包商的網路安全實踐。該最終規則於 2024 年 12 月生效,建立了三個成熟度級別,以保護國防工業基礎中的聯邦合約資訊(FCI)和受控非機密資訊(CUI)。
CMMC 2.0 與 NIST SP 800-171 要求緊密對齊,並對處理敏感 CUI 的承包商引入強制性第三方評估。隨著 2025 年 11 月起分階段執行,預計超過 22 萬家國防承包商必須取得相應認證級別,以維持 DoD 合約資格。
Three Maturity Levels
Streamlined from five to three levels: Level 1 (Foundational, 17 practices), Level 2 (Advanced, 110 practices aligned with NIST SP 800-171), and Level 3 (Expert, NIST SP 800-172 controls).
Third-Party Assessment
Level 2 requires assessment by Certified Third-Party Assessment Organizations (C3PAOs), while Level 1 allows annual self-assessment. Level 3 requires government-led assessment.
CUI Protection
Specifically designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the Defense Industrial Base supply chain.
list_alt CMMC Domains
- Access Control — limit system access to authorized users
- Identification & Authentication — verify user identities
- Media Protection — protect CUI on digital and physical media
- Physical Protection — limit physical access to systems
- System & Communications Protection — monitor and protect communications
- System & Information Integrity — identify and manage flaws
- Incident Response — establish operational incident handling
- Risk Assessment — identify and evaluate risk to CUI
Who Needs to Comply?
All contractors and subcontractors in the U.S. Defense Industrial Base (DIB) who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of DoD contracts.
Key Requirements
Self-Assessment (Level 1)
Complete an annual self-assessment against 17 basic safeguarding requirements from FAR 52.204-21. Affirm compliance through the Supplier Performance Risk System (SPRS).
NIST SP 800-171 Compliance (Level 2)
Implement all 110 security requirements from NIST SP 800-171 Rev 2. Submit to assessment by a C3PAO and achieve a passing score. Maintain a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
Plans of Action & Milestones
Document any unmet requirements with specific remediation plans, responsible parties, and target completion dates. POA&Ms must be resolved within 180 days of assessment.
Continuous Compliance Affirmation
Senior officials must annually affirm their organization's continued compliance status in SPRS. Certification is valid for three years with annual affirmation required.
Penalties & Enforcement
Contractors that fail to meet required CMMC levels are ineligible for DoD contract awards. False compliance claims expose contractors to liability under the False Claims Act, with penalties of up to three times the government's damages plus per-claim penalties.