A Practical Guide to CMMC 2.0: Levels, Requirements, and How to Comply
Navigating the complexities of CMMC compliance is a daunting task, especially with the recent updates to the framework. Whether you’re working towards achieving certification for the first time or want to understand how CMMC 2.0 changes affect your current compliance status, you’ve come to the right place.
Below, we unpack the Cybersecurity Maturity Model Certification 2.0 to explain which organizations are required to comply, how to determine which level of compliance you need, and the different assessment processes. We also share compliance checklists for CMMC 2.0 Level 1 and Level 2 to help you understand and implement specific requirements.
What is the Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework established by the U.S. Department of Defense (DoD) to enhance the cybersecurity of contractors within the Defense Industrial Base (DIB).
The CMMC was created in response to several cybersecurity issues:
- Increasing cyber threats: The DIB has been a prime target for cyberattacks, with adversaries seeking to exploit vulnerabilities to steal sensitive information and intellectual property. These threats have been growing in frequency and sophistication.
- Inconsistent cybersecurity practices: Prior to the CMMC, information security practices across the DIB varied widely. Many contractors did not have adequate measures in place to protect sensitive information, leading to breaches and compromised data.
- Growing national security threats: Ensuring the security of sensitive defense information is critical to national security. Compromised data can have severe implications, including undermining military operations and technological advantages.
- Poor standardization and accountability: The CMMC aims to standardize cybersecurity practices across all defense contractors. By requiring annual self-assessments or third-party certification, the DoD ensures that all contractors meet a baseline level of security.
- Supply chain security: The defense supply chain includes a vast network of companies, from large prime contractors to small subcontractors. The CMMC ensures that all entities within this supply chain adhere to robust cybersecurity standards, reducing overall risk.
- Align with the broader regulatory landscape: The CMMC aligns with broader regulatory efforts to enhance cybersecurity, including other federal initiatives and policies designed to protect critical infrastructure and sensitive information.
The Ultimate Guide to Federal Frameworks
Get an overview of the most common federal frameworks, who they apply to, and what their requirements are.
Who is required to comply with the CMMC?
If your organization works with the DoD, either directly or as a subcontractor, and handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you will need to comply with CMMC. The specific CMMC level required will depend on the type of information you handle and the requirements outlined in the DoD contracts you are involved with.
Consider the following to determine if you need to comply with CMMC:
- Review contractual requirements: If your organization currently holds or plans to bid on DoD contracts you will need to comply with CMMC. If you are a subcontractor for a prime contractor with a DoD contract, you may also need to comply with CMMC based on the flow-down requirements from the prime contractor.
- Consider the type of information handled: If your organization handles FCI or CUI, you are required to comply with CMMC. FCI is data that isn’t classified but still needs to be protected to ensure the integrity and confidentiality of federal operations, such as design documentation, statements of work, or financial records related to federal contracts. CUI is information that is designated by the federal government as sensitive enough to require protection, such as personally identifiable information, HIPAA-protected data, law enforcement records, critical infrastructure and defense information, and export control information.
- Review DoD guidance and RFPs: Carefully review requests for proposals and other DoD solicitations. These documents will specify the required CMMC level for that particular contract. It’s also important to examine specific contract clauses that outline CMMC requirements, such as the DFARS (Defense Federal Acquisition Regulation Supplement) clauses related to cybersecurity.
- Engage with prime contractors: If you are a subcontractor, compliance requirements may be less clear. Communicate with your prime contractor to understand any CMMC requirements and levels that apply to your role. Prime contractors are responsible for ensuring that their subcontractors meet the necessary CMMC requirements, so they should provide guidance and set expectations.
CMMC 2.0: Understanding the major changes
Announced in November 2021, CMMC 2.0 introduced significant changes to simplify the certification process, align more closely with existing cybersecurity standards, and reduce the compliance burden on small businesses. These changes make the framework more practical and accessible while maintaining robust cybersecurity practices to protect sensitive information.
Let’s overview the major framework updates:
Reduced number of levels
CMMC 2.0 reduced the number of certification levels from five to three:
- Level 1 (Foundational): Basic cyber hygiene practices.
- Level 2 (Advanced): Aligns with NIST SP 800-171 practices.
- Level 3 (Expert): Aligns with a subset of NIST SP 800-172 controls, focused on advanced/progressive cybersecurity practices.
Closer alignment with National Institute of Standards and Technology (NIST) Standards
The practices required for Level 2 and Level 3 compliance now align more closely with existing NIST SP 800-171 and NIST SP 800-172 standards, making it easier for organizations already following these frameworks to comply with the CMMC.
Self-assessments for certain levels and contract types
Organizations can now perform annual self-assessments for Level 1 compliance instead of requiring third-party assessments.
Level 2 assessments are now split into two categories. Critical contracts still require third-party assessments by a certified third-party assessment organization (C3PAO) every three years. For certain non-critical contracts, Level 2 compliance can be achieved through annual self-assessments rather than third-party assessments, with an affirmation by a senior company official.
By allowing self-assessments for Level 1 and certain Level 2 contracts, CMMC 2.0 aims to reduce the compliance burden and associated costs, particularly for small and medium-sized businesses.
More focused requirements
CMMC 2.0 removed some unique CMMC requirements that were not aligned with existing standards. The streamlined levels and practices also focus more precisely on protecting CUI, which is a primary concern for the DoD.
Stronger accountability and transparency
Organizations performing self-assessments must have a senior company official affirm the assessment results, enhancing accountability. Clearer guidelines and requirements also aim to increase transparency and understanding of what is needed for compliance.
With the phased implementation that began in May 2023, CMMC 2.0 is projected to be included in all DoD contracts by 2028. However, it’s important to note that even if CMMC isn’t in your organization’s DoD contract by a certain date, as soon as the CMMC final rule is released it will be rolled out to the market and applicable for audits. To be competitive within the DoD marketplace, organizations will need to prioritize compliance with CMMC 2.0. Prime contractors will also likely favor subcontractors who are more prepared to protect their supply chain.
Recommended reading
A Guide to Regulatory Change Management & How Software Can Simplify It
How to achieve CMMC compliance
Understanding the key steps of CMMC 2.0 compliance can simplify the process and ensure your organization is well-prepared to meet requirements. Let’s dive into the essential steps of achieving CMMC compliance, including how to determine your compliance level, implement requirements, and prepare for assessments.
Step 1: Determine your CMMC level
CMMC 2.0 compliance and assessment requirements vary based on your organization’s relationship with the DoD and the type of information you handle, so the first step is to determine your CMMC level. Let’s take a closer look at the three levels of CMMC 2.0 compliance.
CMMC Level 1: Foundational
CMMC Level 1 ensures that companies implement basic cybersecurity practices to protect FCI. It includes 17 fundamental practices based on FAR 52.204-21 focused on safeguarding access, authentication, media protection, physical security, communications protection, and system integrity. Level 1 compliance involves an annual self-assessment and executive affirmation.
CMMC Level 2: Advanced
CMMC 2.0 Level 2 compliance is more extensive than Level 1 and is designed for organizations handling CUI. It aligns with the NIST SP 800-171 rev 2 framework and includes 110 security practices. Third-party assessments for critical national security information are conducted every three years, and annual self-assessments are conducted for non-critical information.
CMMC Level 3: Expert
CMMC 2.0 Level 3 is the highest level, designed for organizations handling CUI. It focuses on advanced cybersecurity practices to protect against Advanced Persistent Threats (APTs). It builds on the practices of Levels 1 and 2 and incorporates additional practices from a subset of NIST SP 800-172 controls (specific practices are defined by the DoD). Before pursuing Level 3, organizations must satisfy compliance requirements for CMMC Level 2. A government-led assessment by the DoD is conducted every three years.
Ask yourself these questions to help determine your CMMC level:
- What are your contractual obligations? Review your current or prospective contracts with the DoD to identify any specified CMMC requirements. Look for clauses or references to CMMC levels within RFPs and contracts.
- What type of information do you handle? If your organization handles FCI, you will need to comply with at least Level 1. If you handle CUI, you will need to comply with Level 2 or higher, depending on the sensitivity of the information.
- How critical is your role in the DoD supply chain? If your organization plays a non-critical role and handles less sensitive information, CMMC Level 2 (non-critical) might be appropriate. If your organization plays a critical role in national security or handles highly sensitive information, you will likely need to comply with CMMC Level 2 (critical) or Level 3.
- Do your requirements align with prime contractors? If you are a subcontractor, communicate with your prime contractors to understand any applicable CMMC requirements flowing down from the main contract. Prime contractors should be able to provide guidance on the required CMMC level for their subcontractors.
You can also refer to the CMMC Accreditation Body (CMMC-AB) website and the Department of Defense CMMC page for official guidance and resources on CMMC requirements and levels.
Step 2: Understand CMMC requirements and conduct a gap assessment
Next, perform an internal assessment to evaluate your current cybersecurity practices against the requirements of the relevant CMMC level.
You can use the CMMC 2.0 compliance checklists below to understand specific requirements for CMMC Level 1 and Level 2 and ensure you have the proper security protocols in place. These checklists will also help you identify gaps so you can address any deficiencies before completing a formal assessment.
CMMC 2.0 Compliance Checklists
Download requirements checklists for CMMC 2.0 Level 1 and Level 2 to help guide your compliance efforts and assessment preparations.
Step 3: Complete the applicable CMMC assessment
Once you’re confident your security protocols satisfy CMMC requirements, you can proceed with the compliance assessment.
The CMMC assessment process varies depending on which level of compliance is required. CMMC Level 1 and non-critical Level 2 assessments are less rigorous compared to critical Level 2 and Level 3.
Here’s an overview of the assessment process for each CMMC level.
CMMC Level 1 and CMMC Non-critical Level 2: Annual self-assessment
Organizations are required to perform an annual self-assessment to ensure they comply with the required cybersecurity practices of Level 1. A senior executive of the organization must also affirm the results of the self-assessment, attesting that the organization meets the Level 1 requirements.
Once you’ve prepared the necessary compliance documentation and evidence, select a self-assessment team that holds the required knowledge and expertise about CMMC Level 1 requirements and your organization’s security posture.
The DoD Chief Information Officer provides self-assessment tools, including scoping and self-assessment guidance, to inform your evaluation. Assess Level 1 requirements, documenting whether each one is fully, partially, or not implemented. Critical requirements will need to be remediated immediately before continuing. For any other practices that are not fully implemented, document the gaps and create a remediation plan. This Plan of Action and Milestones (POA&M) document will outline the specific steps, owners, and deadlines for completing remediation actions.
The other document required for Level 1 compliance is the System Security Plan (SSP), which acts like a detailed blueprint of how the organization keeps its digital assets safe. The SSP outlines the specific security controls and practices the organization has implemented to safeguard its information assets and IT infrastructure.
Once the self-assessment is complete, obtain executive sign-off. This formal affirmation certifies that the self-assessment was thorough and the organization satisfies CMMC level 1 requirements.
Organizations handling Level 2 non-critical Controlled Unclassified Information (CUI) can also perform an annual self-assessment against the applicable controls from NIST SP 800-171. Similar to Level 1, a senior executive must affirm the results of the self-assessment with a letter of attestation.
CMMC Critical Level 2: Engage a C3PAO (Certified Third-Party Assessment Organization)
Organizations handling critical CUI must undergo a third-party assessment conducted by a C3PAO every three years. Once they’re ready for an assessment, organizations choose a C3PAO from the list of authorized assessment organizations provided by the CMMC-AB.
The C3PAO will conduct a comprehensive review of the organization's implementation of the applicable NIST 800-171 controls. They will review policies, procedures, evidence of implemented controls, and key documentation including:
- System Security Plan (SSP): Outlines how the organization has implemented the required cybersecurity practices and processes for CMMC. It provides detailed information about the organization's cybersecurity posture, including a system description and boundaries, risk assessment processes, specific security controls, policies and procedures, incident response and continuous monitoring, and an overview of organizational roles and responsibilities.
- Plan of Action and Milestones (POA&M): Outlines the specific steps an organization will take to address any deficiencies identified during an internal or third-party assessment. During CMMC assessments, third-party assessors review the POA&M to verify that the organization has a structured approach to addressing gaps and maintaining compliance.
- Supplier Performance Risk System (SPRS) Assessment: A SPRS assessment for CMMC involves evaluating a contractor's cybersecurity practices and risk management performance. This assessment is essential to ensure compliance with Department of Defense (DoD) requirements, enhance overall supply chain security, and safeguard sensitive information from cyber threats.
Other key documents include a risk mitigation plan, incident response and reporting plan, continuous monitoring plan, access control policy, configuration management plan, separation of duties matrix, and an audit log management plan. Assessors will also interview company stakeholders to discuss and observe cybersecurity practices, and may perform technical and system tests to validate the effectiveness of implemented controls.
After this review, the C3PAO may provide preliminary feedback to highlight any issues or areas of concern uncovered by the assessment. If any deficiencies are found, the report will include recommended corrective actions. A final report is then submitted to the CMMC-AB for review and the final certification decision.
If compliant, the organization receives the CMMC certification for the assessed level, which is valid for three years. During those three years, organizations must continue to monitor and improve their cybersecurity practices by maintaining their POA&M.
CMMC Level 3: Government-led assessment
Organizations seeking Level 3 certification must coordinate with the Department of Defense to schedule a government-led assessment.
Government assessors may hold a pre-assessment meeting to discuss scope, timing, and assessment process. Similar to C3PAO assessors, government assessors will review submitted documentation, including the SSP, POA&M, and other policies. On-site evaluations typically include interviews with key personnel and observations of cybersecurity practices in action, as well as technical and system testing to verify the effectiveness of implemented controls. Government assessors will also review evidence such as screenshots, access logs, configurations, and procedure documentation to validate that controls are implemented correctly.
Government assessors may provide a preliminary report to point out any deficiencies or areas for improvement, giving organizations the opportunity to address any immediate issues identified during the assessment.
The final report is submitted to the CMMC-AB for review and final certification decision. Certification is valid for three years. To maintain compliance between assessments, Level 3 organizations must continuously monitor their systems and controls and maintain their POA&M. Policies and procedures must also be kept up-to-date to reflect any changes made to the organization’s security posture or organizational practices.
How to streamline CMMC compliance with automation
Automation is fundamentally changing the security, privacy, and compliance landscape, especially in the government and public sectors. With Secureframe’s automated compliance platform, government contractors and authorized software vendors can navigate complex framework requirements, implement and monitor required controls, and achieve continuous compliance with standards including CMMC, NIST 800-171, NIST 800-53, and many others.
- Federal compliance expertise: Our team of compliance experts includes former FISMA, FedRAMP, and CMMC auditors and consultants to support you at every step. Our platform is always kept up-to-date on the latest changes to federal compliance requirements, simplifying regulatory change management.
- Deep integrations for powerful automation: Secureframe integrates with your existing tech stack, including AWS GovCloud, to automatically collect evidence, continuously monitor your security and compliance posture, and simplify POA&M maintenance.
- Multi-framework compliance: Intelligent cross-mapping makes it easier to quickly achieve compliance with multiple federal standards, such as NIST 800-53, NIST 800-171, FedRAMP, and CJIS. Instead of starting from scratch, Secureframe applies the controls you already have in place for CMMC to multiple frameworks, accelerating time to compliance and eliminating duplicate work.
- Easier document and policy management: Templated policies, procedures, and SSPs written by former federal auditors can be fully customized to meet your needs. Our enterprise policy management capabilities include POA&M documents, impact assessments, and readiness reports.
Schedule a demo to learn more about how Secureframe supports government contractors in achieving and maintaining CMMC Level 1 compliance.
Use trust to accelerate growth
Request a demoFAQs
What does CMMC compliance mean?
CMMC (Cybersecurity Maturity Model Certification) compliance means that an organization meets the required cybersecurity standards set by the Department of Defense (DoD) to protect sensitive information. The CMMC model mandates that contractors have appropriate cybersecurity measures in place to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
What are the 3 levels of CMMC?
The three levels of CMMC are:
- Level 1 (Foundational): Basic cyber hygiene practices.
- Level 2 (Advanced): Aligns with NIST SP 800-171 practices.
- Level 3 (Expert): Aligns with a subset of NIST SP 800-172 controls, focused on advanced/progressive cybersecurity practices.
What is CMMC vs NIST?
CMMC is a certification framework specifically created by the DoD to assess and enhance the cybersecurity posture of its contractors. It builds upon NIST SP 800-171, which provides a set of recommended security requirements for protecting the confidentiality of CUI. CMMC incorporates NIST SP 800-171 controls and adds additional practices and processes to improve maturity levels.
What is the difference between CUI and CMMC?
CUI (Controlled Unclassified Information) refers to information that requires protection under federal law, regulations, or government-wide policies but is not classified. CMMC is a certification model that ensures contractors implement sufficient security controls to protect CUI.
Does CMMC only apply to DoD?
Yes, the CMMC framework primarily applies to the defense industrial base (DIB), including DoD contractors and subcontractors. However, it could influence other federal agencies' cybersecurity requirements in the future.
Who needs to be CMMC certified?
Any organization that wants to bid on DoD contracts or handle DoD information must achieve the appropriate CMMC level for the contract's requirements. This includes prime contractors and their subcontractors.
How much does it cost to get CMMC certified?
The cost of CMMC certification can vary widely depending on several factors, including the level of certification required, the size and complexity of the organization, and the existing cybersecurity posture. Costs can range from a few thousand to several hundred thousand dollars, including preparation, assessment, and remediation costs.
Can you self-certify CMMC?
Some levels of CMMC allow for an annual self-assessment along with a senior executive attestation. Higher CMMC levels require a third-party assessment by a certified CMMC Third Party Assessment Organization (C3PAO).
What is the difference between FedRAMP and CMMC?
FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. CMMC, on the other hand, is specifically focused on assessing and certifying the cybersecurity practices of DoD contractors. While FedRAMP is for cloud service providers across various federal agencies, CMMC is for DoD contractors dealing with FCI and CUI.