CMMC 2.0 Requirements and Controls
Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's (DOD) mandatory framework for protecting sensitive information across the defense industrial base (DIB). Defense contractors handling Controlled Unclassified Information (CUI) must achieve CMMC certification to bid on and maintain DOD contracts.
Navigate CMMC compliance with confidence
CyberSheath guides organizations through every phase of CMMC compliance — from gap assessments to certification readiness including the full management of the IT, Security, and Regulatory Compliance — ensuring that you confidently and efficiently meet DOD cybersecurity standards and best practices.
The evolution of defense contractor cybersecurity
The starting point for cybersecurity requirements was NIST SP 800-171, which established the standard for protecting CUI. The DOD codified these practices with DFARS clause 252.204-7012, which relied on self-attestation.
Self-attestation has proven to be a vulnerability. To address it, the DOD introduced the CMMC framework, which requires third-party assessments and documented proof of implementation. The DOD then refined the framework into CMMC 2.0, streamlining the original five-level model down to three while maintaining alignment with NIST 800-171 practices.
CMMC 2.0 preserves the rigor of independent assessment while providing a more practical pathway to certification and ensuring that compliance is real, not merely claimed.
Understanding the CMMC 2.0 framework
CMMC 2.0 is a comprehensive cybersecurity certification framework that applies to all DIB suppliers handling Federal Contract Information (FCI) or CUI, including all DOD primes and subcontractors and their suppliers; all commercial companies/suppliers that store, process, or transmit CUI; and all non-U.S. DIB suppliers. Without proper certification, organizations cannot bid on or maintain DOD contracts.
CMMC 2.0 levels, explained
CMMC 2.0 consists of progressive certification levels, each designed to protect specific types of defense information. Your contract dictates which CMMC level you need to meet.
| Level | Overview | Key Requirements |
|---|---|---|
| Level 1: Foundational | This entry-level certification is required for all companies handling FCI and includes 17 basic cyber hygiene practices drawn from the FAR 52.204-21 and NIST SP 800-171. | Requirements include implementing safeguarding controls such as limiting system access, using antivirus software, and ensuring physical system security. |
| Level 2: Advanced | This level protects FCI and CUI, and includes 110 security requirements within 14 control families and 320 assessment objectives aligned with NIST SP 800-171. Most defense contracts require Level 2 certification. | Level 2 requires documented policies, procedures, and technical controls, including multi-factor authentication, encryption of CUI, incident response plans, and continuous monitoring. |
| Level 3: Expert | This level is required for companies that handle CUI deemed the highest priority by the DOD. It builds upon the 110 security requirements from Level 2 and adds requirements from NIST SP 800-172. | The additional requirements of this level protect against advanced persistent threats, and focus on penetration-resistant architecture, advanced monitoring and threat detection, and rapid incident response capabilities. |
The 14 CMMC domains and requirements
CMMC 2.0 aligns with NIST 800-171's 110 cybersecurity requirements, organized into 14 practice domains or control families, each addressing a critical aspect of information security.
| Control Families | Total Controls | What Is Required |
|---|---|---|
| Access Control | 22 | Limit access to authorized users and devices, and control permitted functions. |
| Audit and Accountability | 9 | Create, maintain, and protect records of system activity for monitoring and investigation. |
| Awareness and Training | 3 | Train personnel on security responsibilities and threats. |
| Configuration Management | 9 | Establish and maintain baseline configurations and control changes. |
| Identification and Authentication | 11 | Verify user and device identities before granting access. |
| Incident Response | 3 | Detect, report, and respond to cybersecurity incidents. |
| Maintenance | 6 | Perform and control system maintenance activities. |
| Media Protection | 9 | Protect and control media containing CUI. |
| Personnel Security | 2 | Identify and assess security risks to operations and assets. |
| Security Assessment | 4 | Develop and implement plans to assess security controls, and regularly evaluate effectiveness. |
| System and Communications Protection | 16 | Monitor, control, and protect system boundaries and communications. |
| System and Information Integrity | 7 | Promptly identify and correct system flaws. |
Assessment and certification process
CMMC 2.0 self-assessment requirements
- CMMC Level 1 requires an annual self-assessment, where a company must demonstrate basic cyber hygiene practices. This includes documenting compliance, maintaining implementation evidence, and reporting of self-assessment scores to the DOD.
- For CMMC Levels 2 and 3, self-assessment is the start of your compliance journey. You will need to conduct a comprehensive assessment of your company’s cybersecurity posture, identify any gaps, and develop a plan to address them.
Third-party assessment process
- Following the initial self-assessment requirements at lower levels, CMMC Levels 2 and 3 require independent verification of compliance.
- For Level 2 (when required by contract), organizations must engage an authorized Certified Third-Party Assessment Organization (C3PAO) to perform a formal assessment that can result in certification.
- Level 3 requires a government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in order to achieve certification.
How CyberSheath helps
We’re here to guide you through it all. Using our AIM process, we work with you to understand and address your needs.
- Assess. Our deep, specialized knowledge of CMMC, NIST, and DFARS requirements enables us to examine your infrastructure and provide a detailed report of what is needed.
- Implement. We deploy all elements — write policies, plans, and timeframes, and install technical controls required for compliance, on schedule and within budget.
- Manage. Our cost-effective managed services offering is tailored to your required CMMC level, delivered in a cloud, on-premise, or hybrid solution anchored in proven Microsoft technology.
FAQs
Do you need both DFARS and CMMC?
Yes. DFARS cybersecurity requirements have been included in the majority of DOD solicitations since 2016. Following the finalization of the CMMC Program Rule on November 10, 2025, CMMC requirements are now being phased into contracts. Contractors should expect certification to increasingly become a requirement to be eligible to bid or retain DOD work.
How does NIST SP 800-171 relate to CMMC?
NIST SP 800-171 defines the core cybersecurity controls required to protect Controlled Unclassified Information. CMMC builds on this foundation by requiring formal verification through self-assessments or third-party certification when mandated by a contract.
Who needs to be CMMC certified?
Any contractor or subcontractor that handles or will handle Controlled Unclassified Information and is required by a contract to meet CMMC must complete a self-assessment or third-party certification, depending on whether the contract specifies Level 1 or Level 2 compliance.
How do I determine which CMMC level my organization needs?
The required level is defined in the solicitation or contract. Most companies supporting DOD programs will need Level 1 or Level 2, while Level 3 will apply to a smaller number of contractors supporting higher-priority national security program.
What is the timeline for CMMC requirements in contracts?
CMMC 2.0 went into effect on December 16, 2024, and full implementation across all applicable contracts is expected by end of 2026. CMMC is already being phased into DOD solicitations and will further expand over the next several years. All DOD contractors must be compliant by November 10, 2026, to remain eligible for contracts. Organizations that delay preparation risk losing competitiveness on new awards, recompetes, and contract renewals.
Related resources
Case Studies
Read stories about how your peers achieved compliance with CyberSheath support.
Browse Here >
Spirit Electronics Case Study
Spirit Electronics is a vertically integrated electronics design and manufacturing solutions provider headquartered in Phoenix, Arizona. Spirit serves the military-aerospace markets with capabilities spanning ASIC design, post-foundry services, advanced packaging, screening and qualification, and onshore…
Learn MoreWebinars
Learn from CyberSheath experts about how to get CMMC compliant and avoid the pitfalls.
Browse Here >
Getting CMMC Scope Right the First Time
Avoid costly rework, failed assumptions, and surprise reassessments. Choosing your CMMC scope isn’t just a technical decision—it’s the foundation that determines your timeline, cost, and long-term success. Many organizations take the “easy button” approach, only…
Learn MoreBlogs
Gain useful insights and information on the processes and challenges of CMMC compliance.
Browse Here >
The Real Compliance Crisis is Not Technology
Across the technology industry, compliance initiatives are still too often approached primarily as infrastructure projects. Organizations buy tools, migrate workloads into compliant cloud environments, implement monitoring platforms, deploy identity controls and assume the problem is…
Learn MoreEvery solution begins with a conversation.
Contact us today for a no-obligation discussion of CMMC 2.0 compliance, what's required, what you may need and what we can do to provide it. We've helped hundreds of DOD contractors. We can help you.