What is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s framework for ensuring that contractors protect sensitive government data. It consolidates the original 5-level model into three levels to simplify compliance and lower costs. All DoD contractors and subcontractors must comply at the level specified in their contract to remain eligible for awards.
Who Does It Apply To?
- All companies in the Defense Industrial Base (DIB), including primes and subcontractors, depending on the type of information they handle.
- Compliance level is dictated by contract requirements.
- Applies to contractors that store, process, or transmit:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
The Three Levels of CMMC 2.0
Level 1 – Foundational
- Who it applies to: Contractors that only handle Federal Contract Information (FCI).
- Requirements: 17 basic cybersecurity practices aligned with FAR 52.204-21 (e.g., strong passwords, antivirus, access controls, training).
- Assessment: Annual self-assessment; results must be posted in SPRS (Supplier Performance Risk System).
- Goal: Protect basic contract information.
Level 2 – Advanced
- Who it applies to: Contractors that handle Controlled Unclassified Information (CUI).
- Requirements: 110 practices aligned with NIST SP 800-171.
- Assessment:
- Self-assessment permitted for some contracts (non-prioritized CUI).
- Third-party C3PAO assessment required every 3 years for prioritized contracts.
- Annual affirmation still required.
- Goal: Protect sensitive unclassified defense information from compromise.
- Flexibility: POA&Ms (Plans of Action & Milestones) are allowed for some non-critical items, with 180-day closure requirements.
Level 3 – Expert
- Who it applies to: Contractors working on the most critical programs involving sensitive CUI at high risk of nation-state threats.
- Requirements: All Level 2 controls plus additional enhanced requirements from NIST SP 800-172 (covering advanced incident response, monitoring, resilience, and counter-APT measures).
- Assessment: Government-led assessment (e.g., DIBCAC) every 3 years.
- Goal: Protect CUI against advanced persistent threats (APTs).
What This Means for Clients
- Level 1: If you only handle FCI, you’ll need to demonstrate foundational practices through annual self-assessment
- Level 2: If your work involves CUI, expect rigorous requirements and a likely third-party audit.
- Level 3: Reserved for critical programs, requiring the highest degree of cyber defense and government oversight.
Failure to meet the required level could result in lost contracts and disqualification from current and future DoD opportunities.
How Can CAMP Help You?
We guide clients through the full compliance lifecycle:
- Scoping & Gap Analysis – Identify which level applies and assess current posture.
- System Security Plan (SSP) & Policy Development – Create required documentation aligned with NIST 800-171/172.
- Remediation & Implementation – Deploy missing controls, tools, and processes.
- Evidence & POA&M Support – Build audit-ready evidence packages and close gaps.
- Readiness Assessment / Mock Audit – Dry runs to prepare for C3PAO or government assessors.
- Assessment Support – Act as liaison during formal audits, ensuring smooth responses.
- Sustainment & Monitoring – Annual affirmations, ongoing compliance updates, training, and continuous improvement.
Our Value: We reduce risk, accelerate compliance, and position your organization for successful assessments – whether at Level 1, Level 2, or Level 3.