Upcoming Event: Accelerate CMMC compliance with HPSI | April 12, 2024 | Learn more
 Cybersecurity Maturity Model Certification (CMMC) 2.0: What you need to know

Cybersecurity Maturity Model Certification (CMMC) 2.0: What you need to know

Cybersecurity Maturity Model Certification (CMMC) 2.0: What you need to know

The Cybersecurity Maturity Model Certification (CMMC) is a set of requirements that defense contractors must meet to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC 2.0 is the latest version of the CMMC framework, and it is designed to be more streamlined and easier to implement than the previous version.

How CMMC 2.0 Differs from CMMC 1.0

There are several key differences between CMMC 2.0 and CMMC 1.0.

First, CMMC 2.0 has been simplified from five levels to three levels.

Second, CMMC 2.0 has been aligned with the NIST Cybersecurity Framework (NIST CSF), which is a widely accepted framework for cybersecurity. This alignment makes it easier for contractors to implement CMMC requirements and to demonstrate compliance.

Third, CMMC 2.0 has been made more flexible. For example, contractors can now self-assess their compliance with the requirements, and they can also use a spreadsheet to track their progress granted that the template was made by an expert in this compliance.

Who are Covered by CMMC 2.0?

CMMC 2.0 applies to all contractors who work on or have access to CUI or FCI. This includes prime contractors, subcontractors, and suppliers. If you’re planning to bid on DoD contracts, then you will need to comply to this requirement.

What Are The Different Levels of CMMC 2.0 and What Do They Mean?

The three levels of CMMC 2.0 are:

  • Level 1 Foundational: Basic cyber hygiene. This level requires contractors to implement basic cybersecurity controls, such as password management and access control.
  • Level 2 Advanced: Intermediate cyber hygiene. This level requires contractors to implement more advanced cybersecurity controls, such as vulnerability scanning and incident response.
  • Level 3 Expert: Advanced cyber hygiene. This level requires contractors to implement the most advanced cybersecurity controls, such as threat intelligence.

How do I determine which CMMC 2.0 level do I need to comply with?

First, we need to define what data you need to protect. In relation to CMMC, there are two types: Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

CUI refers to unclassified information that requires safeguarding or dissemination controls to protect it from unauthorized access or disclosure. It encompasses a wide range of sensitive information that is not classified but still requires protection due to its potential impact on national security, privacy, or other interests. CUI can include proprietary business information, personally identifiable information (PII), sensitive research data, critical infrastructure data, and more.

FCI refers specifically to information that is provided by or generated for the U.S. federal government under a contract. It is not intended for public release and is subject to specific security requirements to safeguard the interests of the government and its contractors. FCI can include data related to pricing, cost estimates, financial information, technical specifications, systems designs, and any other information provided by or generated for the government in the process of fulfilling a federal contract.

Consider the type of work you do for the DoD. Some contracts may require a higher level of compliance than others.

  • Assess your exposure to CUI or FCI. This includes understanding the type of CUI or FCI they handle, the sensitivity of the information, and the potential impact of a data breach.
  • Consult with a cybersecurity expert. A cybersecurity expert can help businesses assess their exposure to CUI or FCI, identify the appropriate CMMC level, and develop a compliance plan.

Best Practices for Achieving CMMC Compliance

As a contractor, you need to consider various aspects of your business that may fall under this compliance in relation to CUI or FCI data handling such as:

  • Your employees
  • The technologies you use
  • The facilities you have and your employees use
  • External Service Providers that you work with or use to conduct your day-to-day business

There are several best practices that contractors can follow to achieve CMMC compliance. These include:

  • Start by conducting a cybersecurity assessment. This will help you to identify the gaps in your cybersecurity posture and to develop a plan to address them.
  • Implement the necessary cybersecurity controls. This includes implementing technical controls, such as firewalls and intrusion detection systems, as well as administrative controls, such as employee training and security awareness.
  • Document your cybersecurity processes and procedures. This will help you to demonstrate compliance with the CMMC requirements.
  • Get certified by a third-party assessor. This is the final step in the CMMC compliance process.


CMMC 2.0 is a significant improvement over the previous version of the framework. It is more streamlined, easier to implement, and aligned with the NIST CSF. Contractors who are serious about protecting CUI and FCI should start planning their CMMC compliance journey today.