Guide on Cybersecurity Maturity Model Certification (CMMC 2.0)

Published on : 05 Apr 2022

Cybersecurity Maturity Model Certification

CMMC 2.0 Model is the latest upgraded version of CMMC v 1.0 established back in 2020. The Department of Defense (DoD) in a bid to mitigate the growing risk of cyber security threats, released the Cybersecurity Maturity Model Certification (CMMC) framework in January 2020. The objective behind establishing this framework was to ensure that businesses maintain an appropriate level of cybersecurity to protect Federal Contact Information (FCI) and Controlled Unclassified Information (CUI).

Prior to the enforcement of CMMC, contractors were responsible for implementing and monitoring their own cybersecurity best practices. However, these contractors were never audited and verified for their level of security maintained. This is because they were allowed to self-attest to their level of security. But with the establishment of CMMC, there was an entire shift in the paradigm of cybersecurity in the industry among contractors serving the DoD. 

Now the DoD worked on the model of “trust but verify” rather than simply relying on the self-attestation approach. Unlike most cybersecurity frameworks, CMMC was designed and established to specifically address the issue of supply chain cyber security threats. The framework provides an excellent foundation for establishing a strong cybersecurity program to effectively manage cyber threats. Over a year after enforcing CMMC, the federal government 2021 issued a new version of the framework, CMMC 2.0 which is designed to simplify compliance requirements for contractors. Let us today learn about the CMMC 2.0 model and understand the 3 levels and their different controls. 

What is CMMC Compliance?

Cybersecurity Maturity Model Certification is a cybersecurity program developed by the United States Department of Defense (DoD). It is a standard and an industry best practice that organizations dealing with the Department of Defense (DoD) are required to comply with. The framework is designed to measure the defense contractor’s capability, and readiness, in mitigating cybersecurity threats prevailing in the industry.

The CMMC Compliance framework is a collection of processes and security implementations of various cybersecurity standards such as NIST, FAR, and DFARS. Achieving CMMC Certification of Compliance simply suggests the level of maturity an organization’s current cybersecurity initiative stands at in the industry. The primary objective of attaining the certification is to improve the security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of their federal contractors. 

CMMC or CMMC v1.0 was designed with 5 maturity levels ranging from the basics of cyber hygiene at Level 1 to the progressive and advanced level at Level 5. So, while an organization operating with non-classified DoD data was expected to meet Level 3 or a level below that for CMMC Compliance.

Organizations operating with high-value information were expected to achieve Level 4 or higher. However, last year in 2021 the Federal Government issued a new version of the framework, CMMC 2.0. As per the updated version of CMMC 2.0, there are just levels in this version of compliance. So, now achieving CMMC 2.0 compliance requirements vary depending on the contract, with some requiring only Level 1 or Level 2, Level 3. Elaborating this in detail, let us learn what the CMMC 2.0 is for a better understanding of the standard and the compliance program.

What is CMMC 2.0?

CMMC 2.0 is the latest version or rather an upgraded version of CMMC Compliance introduced earlier last year in 2021. So, the CMMC 2.0 changes currently included reducing the number of compliance “levels” from five to three, and changes in terms of making it easier for contractors to self-certify their compliance. Elaborating more on the latest version and explaining the CMMC 2.0 controls, we have outlined CMMC 2.0 vs 1.0 changes introduced in the table below.  The table broadly outlines the key changes introduced in the latest version of the CMMC 2.0 model by the DoD.

CMMC 2.0 vs CMMC 1.0



Levels1. CMMC 1.0 included 5 progressive levels from Basic to Advanced.

2. CMMC Levels 2 and 4 intended as transition stages between Levels 1, 3, and 5
CMMC 2.0 includes 3 progressive levels:
Foundational Level 1 (same as the CMMC 1.0 level 1)
Advanced Level 2 (same as CMMC 1.0 level 3)
Expert Level 3 (same as CMMMC 1.0 level 5)
Requirements at each level

1. Requirements include cybersecurity standards and maturity processes at each level.

2. Cybersecurity standards consist of certain requirements from NIST SP 800-171 as well as CMMC-unique standards.

1. Eliminates all maturity processes
2. Eliminates all CMMC unique security practices:
Advanced Level 2 will mirror NIST SP 800-171 (110 security practices)
Expert Level 3 will be based on a subset of NIST SP 800-172 requirements

Additional Changes1. Allows annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level
2. Bifurcate CMMC Level 3 requirements to identify prioritized acquisitions that require independent assessment, non-prioritized acquisitions that require annual self-assessment, annual company affirmation
3. Development of a time-bound and enforceable Plan of Action and Milestone process.
4. Development of a selective, time-bound waiver process, if needed and approved.

Who needs to be CMMC Certified?

CMMC 2.0 is meant for any organization planning to do business with the DoD. This requirement applies to prime contractors, subcontractors, and any other supplier across the supply chain involved in the process. CMMC compliance requirements may vary depending on the contract, with some contracts requiring Level 1 or Level 2 compliance while other contracts may require up to Level 5.

The DoD contract specifies the level of compliance the contractor needs to meet. That said, for those businesses not working with the government or DoD does not mean they need not comply with CMMC 2.0. CMMC compliance, in general, is seen as an industry best practice so every organization should be able to achieve CMMC compliance.

CMMC 2.0 Model

CMMC 2.0 Model is the latest version of the standard designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department. CMMC Model of framework outlines the best cybersecurity practices at the highest level by domains that are segmented into different CMMC 2.0 controls. The contractors looking to work with DoD are required to demonstrate compliance by adhering to those controls and processes segmented across the 3 maturity levels of CMMC namely Level 1 Foundational, Level 2 Advanced, and Level 3 Expert. Let us learn about the 3 levels of the CMMC 2.0 Model a bit in detail. 

CMMC 2.0 Model In a Glance

CMMC Model 2.0Controls/ PracticesAssessment
Level 1 Foundation17 practicesAnnual Self-Assessment
Level 2 Advanced110 practices aligned with NIST 800-171Triennial Third Party Assessment
Level 3 Expert110 + practices based on NIST 800-172

Triennial Government led Assessment

3 Levels of CMMC 2.0

Foundational Level 1

CMMC 2.0 Level 1 is the foundational level comprising 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171. The CMMC Level1 applies to organizations handling and focused on protecting Federal Contract Information (FCI). These controls are meant for basic cyber hygiene to protect covered contractor information systems and engage contractors in developing a strong cybersecurity posture. Level 1 which is the foundational level of CMMC 2.0 allows self-assessment.

Advanced Level 2

CMMC 2.0 Level 2 is the advanced level comprising 110 controls of NIST 800-171. The Level 2 CMMC 2.0 is comparable to the Level3 of CMMC 1.0 requirements that reflect 14 domains and 110 controls of NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC.

It applies to those organizations handling Controlled Unclassified Information that is deemed critical to National Security Information.  Achievement and maintenance of compliance to this level require audit and assessment by a third party every three years. So, any contractor with a Defense Federation Acquisition Regulation (DFAR) clause in their contract will need to at least meet Level 2 requirements. Further, it is important to note that DFARS clause 252.204-7012 applies and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting. 

Expert Level 3

CMMC 2.0 Level 3 focuses on protecting sensitive information against Advanced Persistent Threats (APTs) and is meant for organizations dealing with or handling Controlled Unclassified Information which is DoD’s top priority. Level 3 is similar or rather comparable to the CMMC 1.0 Level 5. Currently, the requirement for this level is still being developed but officially lists out 110 controls based on NIST 800-172. Any contractor with a DFARS clause in their contract will meet Level 3 requirements.

Meeting this requirement will require going beyond NIST SP 800-171 security requirements and including incident reporting. It is also important to note that the assessment of CMMC Level 3 will be completed by the government and not CMMC Third Party Assessment Organization (C3PAO).

NIST 800-171 14 Domains Covered in CMMC 2.0

Access ControlMedia Protection
Awareness and Training

Personnel Security
Audit and AccountabilityPhysical Protection
Configuration ManagementRisk Assessment
Identification and AuthenticationSecurity Assessment

Incident ResponseSystem and Communications Protection
MaintenanceSystem and Information

Getting Started with CMMC Compliance

CMMC 2.0 which is the latest version by the DoD is set to establish in an effort to mitigate cyberattacks that threaten U.S. military, technology, and commercial aspects. It is a standard that is designed to equip organizations and effectively deal with cybersecurity threats better. So, organizations looking to achieve CMMC 2.0 Compliance must kick-start their journey by achieving NIST 800-171.

This is simply because the CMMC 2.0 Advanced Level 2 mirrors the NIST 800-171 standard and aligns with the standard’s 110 security controls. So, clearly, compliance with NIST SP 800-171 will ensure effective implementation and achievement of certain levels of CMMC 2.0 compliance. 

Organizations handling CUI and looking to attain the DoD contracts must get started on their compliance path even if the final CMMC 2.0 requirements are yet to be officially established and work their way through the federal rulemaking and enforcement of federal cybersecurity regulations.

Moreover, since NIST 800-171 continues as the standard, organizations must seek to comply with and prepare to meet the NIST 800-171 control requirements without any delay as preparation for it will take up to over a year. For assistance and guidance on NIST 800-171 or CMMC2.0, you can get in touch with our compliance experts at VISTA InfoSec. They can guide you through the process and help your organization in the compliance journey. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.