AuditXYZ

Compliance Framework

Cybersecurity Maturity Model Certification (CMMC) 2.0

CMMC 2.0 is the DoD's framework for verifying cybersecurity practices among defense contractors. Learn about the three certification levels and how to prepare for assessment.

$20,000–$300,0003–18 monthsAudit Required2.0 (2024)
Request a ConsultationSee process
Issuing BodyUnited States Department of Defense (DoD)
First Published2020-01-31
Latest Version2.0 (2024)
Typical Cost$20,000–$300,000
Typical Timeline3–18 months
Audit RequiredYes
Audit FrequencyLevel 1: annual self-assessment. Level 2: triennial third-party assessment (C3PAO) or annual self-assessment depending on contract. Level 3: triennial government-led assessment.
Geographyunited-states

CMMC: Cybersecurity Maturity Model Certification Guide

The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense's program for verifying that defense contractors adequately protect sensitive information. CMMC 2.0, finalized in 2024, streamlined the model from five levels to three and aligned directly with existing NIST standards.

What CMMC Covers

CMMC 2.0 defines three certification levels:

Level 1 (Foundational) — 17 basic cyber hygiene practices derived from FAR 52.204-21, protecting Federal Contract Information (FCI). Covers basic access control, identification, media protection, physical protection, system protection, and system integrity.

Level 2 (Advanced) — 110 practices directly mapped to NIST SP 800-171 Rev 2, protecting Controlled Unclassified Information (CUI). This is the most common level required for defense contracts involving CUI.

Level 3 (Expert) — All Level 2 requirements plus additional practices from NIST SP 800-172, protecting CUI against advanced persistent threats. Required for the most sensitive programs.

Who Needs CMMC

Any organization in the Defense Industrial Base (DIB) that handles FCI or CUI will need CMMC certification. This includes prime contractors, subcontractors, and suppliers at every tier of the defense supply chain. An estimated 200,000+ companies will need some level of CMMC certification.

CMMC requirements will be phased into DoD contracts starting in 2025. Organizations without the required CMMC level will be ineligible to bid on or continue performing affected contracts.

Assessment Process

Level 1 — Annual self-assessment with senior official affirmation. Results reported to the Supplier Performance Risk System (SPRS).

Level 2 (Third-Party) — Assessment by a CMMC Third-Party Assessor Organization (C3PAO). The assessor evaluates all 110 practices, and the organization must demonstrate implementation with evidence. Certification is valid for three years.

Level 2 (Self-Assessment) — Permitted for certain contracts with lower CUI sensitivity. Annual self-assessment with SPRS reporting.

Level 3 — Government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Preparation Steps

  1. Determine required level — Review current and anticipated contracts for CMMC requirements
  2. Scope your environment — Identify all systems that process, store, or transmit FCI/CUI
  3. Conduct gap assessment — Compare current practices against required controls
  4. Create SSP and POA&M — Document your system security plan and remediation milestones
  5. Implement controls — Deploy required technical, administrative, and physical safeguards
  6. Self-assess — Score your implementation using the DoD assessment methodology
  7. Engage C3PAO — For Level 2 third-party assessment, schedule your certification audit

Common Challenges

The most challenging aspects for small and mid-size defense contractors include defining the CUI boundary, implementing multi-factor authentication across all CUI-handling systems, establishing a security operations capability for monitoring, and managing the cost of compliance relative to contract value.

Get the CMMC starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

nist-800-171nist-800-53nist-csfiso-27001

Get matched with a CMMC auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
NIST CSF
Framework
The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Learn how CSF 2.0 helps organizations of all sizes improve their security posture.
View
NIST 800-171
Framework
NIST SP 800-171 defines 110 security requirements for protecting CUI in nonfederal systems. Essential reading for any organization handling controlled unclassified information.
View
NIST 800-53
Framework
NIST SP 800-53 Rev 5 defines over 1,000 security and privacy controls for federal systems and organizations. Learn how to navigate control baselines and implement effectively.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View