CMMC is a framework developed by the U.S. Department of Defense (DoD) to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
If you’re a contractor or subcontractor trying to meet the cybersecurity requirements that apply to acquisition programs and systems that process this type of information, understanding the specific requirements of your certification level and the latest CMMC model is essential for achieving and maintaining compliance.
In this blog, we’ll break down the CMMC 2.0 requirements, explore what’s needed at each certification level, and answer common questions about CMMC requirements.
DFARS Clauses
To understand CMMC requirements, we have to first cover the history of the CMMC program, starting with the Defense Federal Acquisition Regulation Supplement (DFARS).
In response to increases in cyber threats aimed at the Defense Industrial Base (DIB), DFARS clause 252.204-7012 was published in the Federal Register and became effective in 2015. This required contractors and subcontractors to safeguard CUI by implementing cybersecurity requirements in NIST SP 800-171. This was a significant milestone in the effort to strengthen U.S. national security; however, the DoD wanted increased assurance that contractors and subcontractors were in fact implementing the DoD’s cybersecurity requirements and capable of protecting unclassified information.
So in 2019, DoD announced the development of CMMC, a program designed to move away from a “self-attestation” model of security and adequately secure the DIB sector against evolving cybersecurity threats.
In September 2020, DoD published the DFARS Interim Rule, the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements. Designed to strengthen DFARS clause 252.204-7012, increase compliance with its cybersecurity regulations, and enhance the protection of unclassified information within the DoD supply chain, this rule introduced three new clauses: DFARS clause 252.204-7019, DFARS clause 252.204-7020, and DFARS clause 252.204-7021.
This interim rule implemented the DoD's initial vision for the CMMC Program (CMMC 1.0), outlining the basic features of the framework to protect FCI and CUI (ie. a tiered model of practices and processes, required assessments, and implementation through contracts).
After receiving hundreds of public comments on the CMMC 1.0 program and conducting an internal review of CMMC’s implementation, the DoD announced CMMC 2.0 in November 2021.
So before we look at CMMC 2.0 requirements, it’s important to have a foundational knowledge of the DFARS clauses 7012, 7019, 7020, and 7021.
DFARS Clause 252.204-7012
CMMC complements DFARS clause 252.204-7012, which was published in the Federal Register and became effective in 2015. Key requirements of this clause are:
- NIST 800-171 compliance: DFARS 7012 requires contractors and subcontractors to safeguard CUI by implementing cybersecurity requirements in NIST SP 800-171. They are required to develop a System Security Plan (SSP) detailing the policies and procedures their organization has in place to comply with NIST SP 800-171.
- Flowdown of requirements to subcontractors: Defense contractors must flow down all the requirements to their subcontractors.
- Incident reporting: In response to a cyber incident, DFARS 7012 requires organizations to notify the DoD through formal reporting mechanisms. This report must include any malicious software recovered and isolated during the incident, as well as images and logs of all affected information systems for at least 90 days from the submission of the cyber incident report.
DFARS Provision 252.204-7019
DFARS clause 252.204-7019 strengthens DFARS clause 252.204-7012 by requiring contractors to conduct a NIST SP 800-171 self-assessment according to NIST SP 800-171 DoD Assessment Methodology. These self-assessment scores must be reported to the Department via the Supplier Performance Risk System (SPRS). SPRS scores must be submitted and current (ie. not more than three years old) in order to be considered for a contract award.
DFARS Clause 252.204-7020
DFARS clause 252.204-7020 strengthens DFARS clause 252.204-7012's flowdown requirements by holding contractors responsible for confirming their subcontractors have SPRS scores on file prior to awarding them contracts.
It also requires contractors to provide the DoD with access to its facilities, systems, and personnel if the Department needs to conduct a higher-level assessment of the contractors' cybersecurity compliance.
DFARS 252.204-7021
Set to go into effect on Oct 1, 2025, DFARS clause 252.204-7021 requires contractors to achieve the CMMC certification level required in their DoD contract by the time of contract award and to maintain it throughout the duration of the contract. It also stipulates that contractors are responsible for flowing down the CMMC requirements to their subcontractors. Meaning, any subcontractors must be compliant with the same CMMC level.
Now that we have a better understanding of the DFARs clauses and how they implemented the DoD's initial vision for CMMC 1.0, let’s look at the latest version of the program.
CMMC 2.0 Requirements
With the introduction of CMMC 2.0, the DoD has simplified the certification process while maintaining stringent security standards. CMMC 2.0 focuses on three distinct levels of certification, each tailored to different types of information and risks.
The core of CMMC 2.0 requirements revolves around implementing and documenting cybersecurity practices aligned with established and widely accepted cybersecurity standards.
The key changes between CMMC 1.0 and CMMC 2.0 requirements are:
- Condensed five levels to three: CMMC 2.0 streamlines the original model from five to three levels. Each level has progressively stringent cybersecurity practices and assessment requirements based on the type and sensitivity of the information the organization processes.
- Aligned with NIST cybersecurity standards: The CMMC 2.0 framework heavily aligns with NIST standards, particularly NIST SP 800-171 for Level 2 and both NIST SP 800-171 and NIST SP 800-172 for Level 3.
- Streamlined assessments: CMMC 2.0 aims to streamline and reduce the costs associated with the assessment process, allowing all companies at Level 1 and a subset of companies at Level 2 to demonstrate compliance through self-assessments.
- Increased flexibility: CMMC 2.0 also increases the flexibility of implementing requirements. Most notably, under certain limited circumstances, it allows companies to make Plans of Action & Milestones (POA&Ms) to achieve certification and allows the government to waive inclusion of CMMC requirements.
What are CMMC domains?
The CMMC 2.0 model consists of 14 domains that represent a critical aspect of an organization’s cybersecurity posture. Each domain encompasses a range of practices that need to be implemented and maintained to protect FCI and CUI. CMMC 2.0, like its predecessor, organizes these practices into domains to provide a structured approach to building and assessing cybersecurity capabilities.
These domains and practices create and make up the CMMC framework requirements that organizations must follow and adhere to for CMMC compliance.
CMMC domains align with the families specified in NIST SP 800-171, and include the following:
- Access Control (AC): Controls who can access systems and data, ensuring that only authorized users have access to sensitive information.
- Audit and Accountability (AU): Ensures that activities are logged and monitored, enabling the detection and investigation of security incidents.
- Awareness and Training (AT): Focuses on educating employees about security policies, procedures, and best practices to reduce human error and enhance organizational security.
- Configuration Management (CM): Involves the proper setup and maintenance of systems and devices to ensure security configurations are enforced consistently.
- Identification and Authentication (IA): Verifies the identity of users and devices before granting access to systems, ensuring that only legitimate entities can interact with sensitive information.
- Incident Response (IR): Develops and implements procedures for identifying, managing, and mitigating the impact of cybersecurity incidents.
- Maintenance (MA): Ensures that systems are maintained regularly and securely, including the application of patches and updates.
- Media Protection (MP): Protects sensitive information stored on various media types, ensuring that it is properly handled and disposed of.
- Personnel Security (PS): Addresses security measures related to the hiring, training, and management of personnel with access to sensitive information.
- Physical Protection (PE): Controls physical access to facilities, systems, and equipment, ensuring that only authorized personnel can access sensitive areas.
- Risk Assessment (RA): Identifies, assesses, and mitigates risks to the organization’s information systems and data.
- Security Assessment (CA): Regularly evaluates the effectiveness of security controls and practices, ensuring continuous improvement.
- System and Communications Protection (SC): Protects the organization’s information and systems during transmission and ensures that communications are secure.
- System and Information Integrity (SI): Ensures that systems and data are protected from unauthorized modification and that integrity is maintained across all systems.
These domains provide a comprehensive approach to cybersecurity, covering all aspects from access control and incident response to risk assessment and system and information integrity. Organizations seeking CMMC 2.0 certification must implement and document practices across these domains, corresponding to the level of certification they are pursuing.
Let’s take a closer look at these levels and their corresponding requirements below.
CMMC Compliance Requirements
Any organization that handles FCI or CUI must achieve one of the three CMMC levels, as specified in their contract, to be eligible to do defense-related work.
Each CMMC level is cumulative. Meaning, if an organization wants to achieve CMMC Level 2 or 3 certification, they must demonstrate compliance with the requirements of the proceeding lower level(s).
We’ll cover each level and associated set of requirements, starting with Level 1, below.
CMMC Level 1 Requirements
CMMC Level 1, also known as the Foundational Level, is designed for organizations that handle FCI. It focuses on basic cyber hygiene practices that are fundamental to protecting information.
Below is an overview of the key requirements for CMMC Level 1.
- 17 practices specified in FAR Clause 52.204-21: Level 1 contractors must implement 17 basic cybersecurity practices, which are derived from the Federal Acquisition Regulation (FAR) 52.204-21.
- Domains: Level 1 requirements span six of the 14 domains, including access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity.
- Self-assessment: Level 1 certification requires an annual self-assessment, with an affirmation of compliance by a senior company official.
CMMC Level 2 Requirements
CMMC Level 2, or the Advanced Level, is intended for organizations that handle CUI. It requires organizations to achieve a higher level of cyber hygiene than Level 1 contractors by implementing 110 practices aligned with NIST SP 800-171.
Below is an overview of the key requirements for CMMC Level 2.
- 110 practices aligned with NIST 800-171: Level 2 contractors must implement 110 security practices aligned with NIST 800-171 for the protection of CUI.
- Domains: Level 2 requirements span all 14 domains.
- Third-party assessments by C3PAOs with exceptions: Most Level 2 certifications require triennial third-party assessments by a Certified Third-Party Assessment Organization (C3PAO). However, some Level 2 contractors that handle CUI but are working on projects that do not involve sensitive national security information (also referred to as “non-prioritized acquisitions”) may be permitted to perform triennial self-assessments and annual executive affirmations instead.
CMMC Level 3 Requirements
CMMC Level 3, or the Expert level, is designed for organizations that handle the most sensitive CUI and face advanced persistent threats (APTs). This level is the most rigorous in the CMMC 2.0 framework and requires the implementation of more than 110 security practices.
Below is an overview of the key requirements for CMMC Level 3.
- 110+ practices based on NIST 800-171 and 800-172: Level 3 builds upon the practices required at Levels 1 and 2, incorporating additional controls from NIST SP 800-172 focused on combating APTs.
- Domains: Level 3 requirements span all 14 domains.
- Proactive cybersecurity measures: Level 3 contractors must demonstrate a proactive and mature cybersecurity posture, with a focus on continuously monitoring, detecting, and responding to sophisticated cyber threats.
- Receipt of Level 2 certification assessment: Completing a Level 2 Certification Assessment for in-scope information systems is a prerequisite for a Level 3 certification assessment.
- Government-led assessments: Certification at Level 3 requires triennial assessments conducted by government officials to ensure that the organization meets the highest standards of cybersecurity maturity and is capable of protecting CUI against the most sophisticated cyber threats. Organizations seeking this certification level must coordinate with the DoD to schedule an assessment.
Use the decision tree below to help determine what CMMC requirements you should meet.