CMMC 2.0: What you need to know

If you work with the Department of Defense, CMMC certification is no longer optional. Here's what it means for your business.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a DoD program that requires defense contractors to implement specific cybersecurity controls based on the type of information they handle.

CMMC applies to every company in the Defense Industrial Base (DIB) that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

CMMC 2.0 is now in effect

The final rule (32 CFR Part 170) was published in October 2024 and took effect December 16, 2024. CMMC requirements are being included in new DoD contracts now.

Level 1 vs Level 2

Level 1

FCI Protection

15 security practices from FAR 52.204-21
Self-assessment only — no third-party audit required
Pass/Fail — no SPRS numeric score
For contractors who handle FCI only (no CUI)

Based on CMMC Assessment Guide Level 1 v2.13

Level 2

CUI Protection

110 security controls from NIST SP 800-171 Rev 2
Self-assessment or C3PAO audit depending on contract
SPRS score from -203 to 110 (reported to DoD)
For contractors who handle CUI

Based on CMMC Assessment Guide Level 2 v2.13

Where CMMC fits in the regulatory landscape

FAR 52.204-21

Basic safeguarding of FCI. 15 requirements. This is what CMMC Level 1 certifies against.

DFARS 252.204-7012

Requires NIST SP 800-171 compliance for CUI. 110 controls. This is what CMMC Level 2 certifies against.

32 CFR Part 170 (CMMC Final Rule)

The CMMC program rule that makes certification a contract requirement. Effective December 16, 2024.

Not sure which level you need?

Request a demo and we'll help you determine your CMMC level and build a compliance roadmap.

Request Invite Request Demo

Invite required. Limited founding member spots remaining.