Compliance controls

An Overview of CMMC 2.0 Controls

CMMC 2.0 is the latest version of the Cybersecurity Maturity Model Certification (CMMC) framework, which is designed to assess and enhance the cybersecurity posture of organizations that do business with the Department of Defense (DOD). The CMMC 2.0 framework has three levels, each with its own set of security controls that organizations must implement to achieve certification.

Your organization will need to meet the requirements of CMMC 2.0, to be able to demonstrate good cybersecurity hygiene as well as to be eligible for DOD contracts. If you are holding out on adding your entity to the certification queue, be advised that the line is long. The time to meet the requirements and start the certification process is now.

Level 1: Foundational

This level, which was referred to as ‘basic cyber hygiene’ in CMMC 1.0, requires organizations to implement essential cybersecurity practices to protect federal contract information (FCI). The controls at this level are designed to be universally applicable. These 17 cybersecurity practices are drawn from the FAR (Federal Acquisition Regulation) 52.204-21 and NIST SP 800-171.

The controls at this level include:

Control Security Requirement
AC.L1-3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
AC.L1-3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.
AC.L1-3.1.20 Verify and control/limit connections to and use of external systems.
AC.L1-3.1.22 Control CUI posted or processed on publicly accessible systems.
IA.L1-3.5.1 Identify system users, processes acting on behalf of users, and devices.
IA.L1-3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
MP.L1-3.8.3 Sanitize or destroy system media containing CUI before disposal or release for reuse.
PE.L1-3.10.1 Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
PE.L1-3.10.3 Escort visitors and monitor visitor activity.
PE.L1-3.10.4 Maintain audit logs of physical access.
PE.L1-3.10.5 Control and manage physical access devices.
SC.L1-3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
SC.L1-3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SI.L1-3.14.1 Identify, report, and correct system flaws in a timely manner.
SI.L1-3.14.2 Provide protection from malicious code at designated locations within organizational systems.
SI.L1-3.14.4 Update malicious code protection mechanisms when new releases are available.
SI.L1-3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

Level 2: Advanced

Originally known as ‘intermediate cyber hygiene’ in CMMC 1.0, this level requires organizations to implement a more comprehensive set of cybersecurity practices to protect controlled unclassified information (CUI). The controls at this level are designed to be more prescriptive and include specific requirements for policies, procedures, and documentation. Level 2 has 110 security requirements and 320 assessment objectives aligned with NIST SP 800-171.


The controls at this level include:


Control Family Number of Requirements Overview
Access Control 22 Requires contractors to implement access controls to limit access to CUI only to authorized individuals. This includes implementing strong authentication mechanisms and restricting access based on job functions and the need to know.
Awareness and Training 3 Requires contractors to implement awareness and training programs for employees to ensure they know their cybersecurity responsibilities and understand how to identify and report cybersecurity incidents.
Audit and Accountability 9 Requires contractors to implement audit and accountability controls to track and monitor system activity and detect any unauthorized access or changes to CUI. This includes implementing logging and monitoring capabilities and conducting regular audits to ensure compliance.
Configuration Management 9 Requires contractors to implement configuration management controls to ensure that systems are configured securely, and any changes are documented and approved. This includes implementing change management processes and monitoring unauthorized changes.
Identification and Authentication 11 Requires contractors to implement strong identification and authentication controls to ensure that only authorized individuals can access CUI. This includes implementing multi-factor authentication and password policies.
Incident Response 3 Requires contractors to implement incident response procedures to detect, respond to, and recover from cybersecurity incidents. This includes establishing an incident response team and conducting regular incident response exercises.
Maintenance 6 Requires contractors to implement maintenance controls to ensure that systems and software are updated and patched in a timely manner to address known vulnerabilities.
Media Protection 9 Requires contractors to implement media protection controls to protect any media containing CUI from unauthorized access, theft, or damage. This includes implementing physical security measures and secure handling procedures.
Personnel Security 2 Requires contractors to implement personnel security controls to ensure that individuals with access to CUI are trustworthy and have been properly vetted. This includes conducting background checks and implementing termination procedures.
Physical Protection 6 Requires contractors to implement physical security controls to protect CUI from unauthorized access or damage. This includes implementing access controls and monitoring for suspicious activity.
Risk Assessment 3 Requires contractors to conduct regular risk assessments to identify potential threats and vulnerabilities to CUI and implement appropriate mitigation measures.
Security Assessment 4 Requires contractors to conduct regular security assessments to evaluate the effectiveness of their security controls and identify any weaknesses or gaps.
System and Communications Protection 16 Requires contractors to implement security controls to protect systems and communications from unauthorized access or interception. This includes implementing encryption and access controls.
System and Information Integrity 7 Requires contractors to implement security controls to ensure the integrity of systems and information, including detecting and mitigating any malicious code or unauthorized changes. This includes implementing integrity checks and monitoring for suspicious activity.

Level 3: Expert

Level 3 certification is the highest level and is required for companies that handle CUI, which the DOD deems the highest priority. Referred to as ‘advanced’, in CMMC 1.0, this level builds upon the 110 security requirements from level 2 with additional requirements from NIST SP 800-172. These additional requirements have yet to be determined.

If you have any questions regarding your cybersecurity requirements and the CMMC level you need to attain, contact the team at CyberSheath. We’re the CMMC experts—and we’re here to help.

Join us for CMMC CON 2024 on Sept. 25, 2024, at 9am EST for a free, virtual, one-day conference focused on safeguarding against cyber threats.
This is default text for notification bar