CMMC 2.0 Guide

Everything you need to know about the Cybersecurity Maturity Model Certification.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for DoD contractors. It ensures that companies handling sensitive defense information have adequate security controls in place.

CMMC 2.0 streamlined the original five levels into three, aligning more closely with existing NIST standards. All defense contractors will need CMMC certification to bid on and win DoD contracts.

CMMC Levels

Level 1: Foundational

17 Controls | Annual Self-Assessment

Basic cyber hygiene practices. Required for all DoD contractors handling FCI.

Protects:Federal Contract Information (FCI)

Level 2: Advanced

110 Controls | Self or C3PAO Assessment

Aligned with NIST SP 800-171. Required for contractors handling CUI.

Protects:Controlled Unclassified Information (CUI)

Level 3: Expert

134 Controls | DIBCAC Assessment

Enhanced security for high-value contracts. Includes additional controls beyond 800-171.

Protects:Critical CUI

14 Control Families

CMMC Level 2 includes 110 controls organized into 14 families:

AC
Access Control
22 controls
AT
Awareness & Training
3 controls
AU
Audit & Accountability
9 controls
CM
Configuration Management
9 controls
IA
Identification & Authentication
11 controls
IR
Incident Response
3 controls
MA
Maintenance
6 controls
MP
Media Protection
9 controls
PE
Physical Protection
6 controls
PS
Personnel Security
2 controls
RA
Risk Assessment
3 controls
CA
Security Assessment
4 controls
SC
System & Communications Protection
16 controls
SI
System & Information Integrity
7 controls

Key Concepts

SPRS Score

Your compliance score ranges from -203 to 110. A score of 88+ is required for conditional certification.

POA&M

Plan of Action & Milestones. You have 180 days to remediate gaps, but only 1-point controls can be on POA&M.

See where you stand

Use our free SPRS calculator to assess your current compliance posture.

Calculate Your Score