Glossary

What is CMMC 2.0?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the US Department of Defense's certification framework for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It has 3 levels — Foundational (15 controls), Advanced (110 NIST SP 800-171 controls), and Expert (110 + 24 enhanced controls). The final rule was published October 2024 with contract-clause rollout phasing through 2028.

What CMMC is

CMMC (the Cybersecurity Maturity Model Certification) is the US Department of Defense's certification framework for any contractor or subcontractor handling sensitive government information. The current version, CMMC 2.0, was streamlined from the original 5-level CMMC 1.0 in 2021. The final rule (32 CFR Part 170) was published October 2024.

Contract-clause rollout (DFARS 252.204-7021) phases in through 2028. By 2028, essentially every DoD contract handling FCI or CUI will require CMMC certification at the appropriate level before award.

Who needs it: any organization in the Defense Industrial Base (DIB) — primes, subcontractors, suppliers — that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on DoD contracts. The DoD estimates 300,000+ organizations are in scope.

FCI vs CUI

FCI (Federal Contract Information)

Information provided by or generated for the government under contract that's not intended for public release. Examples: contract performance data, proprietary contract correspondence, transactional details. The handling baseline is the 15 requirements in FAR clause 52.204-21.

CUI (Controlled Unclassified Information)

Information requiring safeguarding or dissemination controls under 32 CFR Part 2002. Includes technical drawings, export-controlled (ITAR) data, specific weapons system specs, intelligence information. The handling baseline is the 110 requirements in NIST SP 800-171 Rev 2.

The National Archives maintains the CUI Registry listing every defined CUI category. If your contract identifies data as CUI, you're at Level 2 minimum.

The 3 CMMC levels

LevelInformationControlsAssessment
Level 1 (Foundational)FCI only15 (FAR 52.204-21)Annual self-assessment + executive affirmation
Level 2 (Advanced)CUI110 (NIST SP 800-171 Rev 2)Triennial C3PAO third-party assessment for prioritized acquisitions; self-assessment for limited scope
Level 3 (Expert)Highest-priority CUI (APT-targeted)110 + 24 enhanced (NIST SP 800-172)Triennial government-led assessment by DCMA's DIBCAC

What's in the 110 NIST 800-171 controls

The 110 Level-2 controls are grouped into 14 control families:

  1. Access Control (AC) — 22 controls. Who can access what.
  2. Awareness and Training (AT) — 3 controls. Security training.
  3. Audit and Accountability (AU) — 9 controls. Logging and log review.
  4. Configuration Management (CM) — 9 controls. Baseline configs, change control.
  5. Identification and Authentication (IA) — 11 controls. MFA, password policy.
  6. Incident Response (IR) — 3 controls. IR plan, testing.
  7. Maintenance (MA) — 6 controls. System maintenance procedures.
  8. Media Protection (MP) — 9 controls. Handling and disposal.
  9. Personnel Security (PS) — 2 controls. Background checks, departures.
  10. Physical Protection (PE) — 6 controls. Facility access.
  11. Risk Assessment (RA) — 3 controls. Vulnerability scanning, risk analysis.
  12. Security Assessment (CA) — 4 controls. Self-assessment cadence.
  13. System and Communications Protection (SC) — 16 controls. Encryption, boundary protection.
  14. System and Information Integrity (SI) — 7 controls. Patching, malware, monitoring.

The assessment process for Level 2

  1. Scoping — define the CMMC Assessment Scope. Includes every system, person, process, and facility that touches CUI. Aggressively segment what's NOT in scope.
  2. System Security Plan (SSP) — author the SSP describing how each of the 110 controls is implemented. Templates exist; expect 200-500 pages.
  3. Plan of Action & Milestones (POA&M) — track open findings. Note: Level 2 has a "no POA&M for some controls" rule — some controls must be fully implemented at assessment time; others can have POA&M items if scored above the threshold.
  4. SPRS submission — submit your NIST 800-171 self-assessment score to the DoD's Supplier Performance Risk System. Currently 110-point scale starting at -203 (worst) up to +110.
  5. C3PAO assessment — a CMMC Third-Party Assessment Organization audits your controls. Typical engagement: 6-12 weeks. C3PAOs are accredited by Cyber AB.
  6. Certification — Cyber AB issues the CMMC Level 2 certificate. Valid 3 years with annual affirmations.

Cost and timeline

PhaseTimeCost (Level 2, ~100 employee org)
Gap assessment2-4 weeks$15-40K
Remediation + SSP authoring6-18 months$75-300K (internal + consulting)
C3PAO assessment6-12 weeks$50-150K
Total to Level 29-24 months$150-500K
Annual affirmation + maintenanceOngoing$30-100K/year

CMMC vs FedRAMP vs NIST 800-171

StandardAudienceNotes
CMMC 2.0DIB contractors handling FCI/CUICertification overlay on NIST 800-171
NIST SP 800-171Non-federal systems processing CUIThe control set. CMMC Level 2 = these controls + audit
FedRAMPCloud providers selling to federal agenciesDifferent audience: cloud, not DIB. Different control set (800-53)
NIST SP 800-53Federal agencies + FedRAMP cloudThe bigger control catalog. 800-171 is a subset selected for non-federal systems
DFARS 252.204-7012DoD contractors handling CUIThe contract clause requiring 800-171; CMMC adds the certification piece

Subcontractor flow-down

CMMC requirements flow down through the supply chain. If your prime's contract requires Level 2, every subcontractor that handles in-scope FCI/CUI must also hold Level 2 — or be excluded from touching that data. Common pattern: primes are requiring Level 2 across the board, even from subs that don't actually need it, to simplify their own scope.

If you're a subcontractor, talk to your primes early. Many are publishing CMMC roadmaps and prioritizing certified subs in awards.

Run CMMC Level 2 evidence in one platform.

Pre-mapped NIST 800-171 controls, SPRS-ready scoring, POA&M tracking, and policy templates for the 14 control families. 7-day trial.

Start your free trial →