See how top teams stay future-ready for audits. 🚀
Go back to blogs

CMMC 2.0 requirements explained: Compliance levels, domains, and key changes

Last updated on
December 17, 2025
4
min. read

The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0 is more than just another compliance update. It is the DoD’s way of strengthening cybersecurity across the Defense Industrial Base (DIB) by aligning with existing federal standards while simplifying implementation for contractors.

With cyber threats constantly evolving, the DoD needed a framework that could better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) without overcomplicating compliance for smaller contractors. CMMC 2.0 does exactly that by streamlining the model into three maturity levels and aligning closely with NIST SP 800-171 and FAR 52.204-21.

In this guide, we’ll break down what CMMC 2.0 is, when it is required, what changed from version 1.0, and what you need to do to get certified.

What is CMMC 2.0?

The CMMC 2.0 is the DoD’s updated framework for ensuring that contractors in the DIB maintain consistent and verified cybersecurity standards. It defines how defense contractors must safeguard two types of sensitive information: FCI and CUI.

The model establishes cybersecurity maturity across three levels (Foundational, Advanced, and Expert) based on the sensitivity of information a contractor handles. Each level corresponds to specific security requirements, ranging from basic practices aligned with FAR 52.204-21 to advanced controls derived from NIST SP 800-172.

Unlike its predecessor, which required all contractors to undergo third-party audits, CMMC 2.0 introduces flexibility through a mix of self-assessments and third-party certifications, depending on the level of sensitivity of the data involved. This update is designed to make compliance more achievable for small and medium-sized businesses while maintaining high standards for those managing critical DoD information.

Key updates in CMMC 2.0

CMMC 2.0 simplifies the earlier framework and better aligns with federal cybersecurity standards such as NIST SP 800-171. The update focuses on flexibility, cost efficiency, increasing accountability through self-attestation, and maintaining strong protection for CUI and FCI.

Here are the key changes:

Simplified levels: The model was reduced from five levels to three: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).

Alignment with NIST: CMMC 2.0 aligns its levels with existing federal standards. Level 1 aligns with FAR 52.204-21, Level 2 aligns directly with NIST SP 800-171, and Level 3 builds on NIST SP 800-172.

Assessment structure: Level 1 contractors can conduct annual self-assessments. For Level 2, non-prioritized organizations handling less sensitive CUI may also self-assess annually, while prioritized organizations must undergo third-party assessments by a Certified Third-Party Assessment Organization (C3PAO) every three years. All Level 3 contractors will require government-led assessments.

POA&M allowance: Contractors at Level 2 and Level 3 can receive contract awards if they maintain a valid Plan of Action and Milestones (POA&M) that outlines how and when unmet requirements will be addressed.

What are the current CMMC 2.0 requirements?

To achieve compliance under CMMC 2.0, organizations within the DIB must follow structured cybersecurity practices, maintain documentation, and demonstrate ongoing adherence through periodic self-assessments or third-party audits. These requirements ensure that contractors handling FCI or CUI meet the DoD’s security expectations.

Below are the core elements required for CMMC compliance.

1. System Security Plan (SSP)

An SSP documents how each applicable control or requirement is implemented within your systems and processes. It must describe the environment’s boundaries, policies, and control ownership. This document is recommended for Level 1 and mandatory for Level 2 and Level 3.

2. Plan of Action and Milestones (POA&M)

A POA&M identifies gaps in compliance and outlines how and when your organization plans to remediate them. Under CMMC 2.0, POA&Ms are permitted for certain Level 2 third-party and Level 3 assessments, but only for non-critical requirements and within defined scoring limits set by the DoD. They are not permitted for Level 1 or Level 2 self-assessments, where all requirements must be fully implemented before attestation.

3. Policies and procedures

Organizations must create, maintain, and periodically review security policies and procedures that govern operations such as access control, incident response, and risk management. These documents must reflect both the intent and evidence of control implementation.

4. Assessment and evidence records

All organizations must collect and maintain audit evidence, such as logs, screenshots, configurations, and control test results, to validate compliance claims. Evidence collection should begin early in the process to ensure readiness before formal assessment.

5. Annual affirmation and reassessments

CMMC compliance involves recurring assessments and affirmations to ensure organizations maintain security maturity over time.

Level 1: Requires an annual self-assessment, conducted internally, with results and executive affirmation submitted to the Supplier Performance Risk System (SPRS).

Level 2 (Prioritized): Requires a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) for contracts involving Controlled Unclassified Information (CUI). Certification remains valid for three years.

Level 2 (Non-Prioritized): Allows for annual self-assessments and affirmations in SPRS instead of third-party audits.

Level 3: Requires a formal audit conducted directly by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

This structure ensures that all contractors maintain continuous accountability and readiness for DoD contracts based on the sensitivity of the information they handle.

What are the requirements for CMMC’s maturity levels?

CMMC 2.0 defines three maturity levels, each aligned with the sensitivity of the information handled and the depth of security controls required. While the levels increase in rigor, they are not strictly cumulative. Level 3 includes all Level 2 practices, but Level 1 operates independently for organizations handling only Federal Contract Information (FCI).

CMMC Level 1 – Foundational

Purpose: Protect FCI.

Requirements: 17 practices derived directly from FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

Assessment: Annual self-assessment, affirmed by a senior executive.

Who needs it: Contractors and subcontractors that handle, process, or store only FCI.

Key documentation: SSP (encouraged but not mandated) and an annual self-assessment report submitted to the Supplier Performance Risk System (SPRS) as a score and affirmation.

Notable change from CMMC 1.0: Previously aligned with 15 practices, now clarified to include 17 to match FAR 52.204-21.

CMMC Level 2 – Advanced

Purpose: Protect CUI.

Requirements: 110 practices aligned with NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Assessment:

  • Self-assessment: For contracts involving non-prioritized CUI.
  • Third-party assessment (by a C3PAO): For contracts involving prioritized CUI.

Who needs it: Contractors handling CUI for the DoD.

Key documentation: System Security Plan (SSP) and supporting evidence for all Level 2 organizations. For C3PAO-led assessments only, additional deliverables include the Security Assessment Plan (SAP), Security Assessment Report (SAR), and limited POA&M for specific non-critical controls.

Assessment frequency: Annual affirmation of compliance, with third-party reassessment every three years for prioritized programs.

CMMC Level 3 – Expert

Purpose: Advanced threat protection

Requirements: 134 practices, combining all 110 from NIST SP 800-171 plus 24 enhanced requirements from NIST SP 800-172.

Assessment: Government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Who needs it: Prime contractors and select subcontractors supporting high-priority defense programs.

Key documentation: SSP, detailed risk assessments, and continuous monitoring records.

POA&M policy: Limited allowances apply, but all items must be resolved within 180 days.

Assessment frequency: Annual affirmation and full government-led reassessment every three years.

What are the domains of CMMC?

CMMC requirements are grouped into 14 domains, each representing a key area of cybersecurity. These domains cover every aspect of protecting FCI and CUI across the DIB.

1. Access Control (AC)

Defines who can access systems and information, ensuring only authorized users and devices are granted permission based on business needs.

2. Awareness and Training (AT)

Focuses on educating personnel to recognize security risks and follow proper cybersecurity practices in their daily activities.

3. Audit and Accountability (AU)

Requires maintaining system logs and monitoring user activities to detect and trace potential security incidents.

4. Configuration Management (CM)

Covers establishing and maintaining secure configurations for hardware, software, and systems to prevent unauthorized changes.

5. Identification and Authentication (IA)

Ensures that all users, processes, and devices are properly identified and authenticated before accessing systems.

6. Incident Response (IR)

Outlines how organizations prepare for, detect, report, and recover from cybersecurity incidents effectively.

7. Maintenance (MA)

Addresses the safe and secure maintenance of systems, both onsite and remotely, to prevent exploitation during servicing.

8. Media Protection (MP)

Sets controls for managing and protecting physical and digital media containing sensitive information.

9. Personnel Security (PS)

Ensures personnel are properly screened before being granted system access and that access is revoked promptly upon termination.

10. Physical Protection (PE)

Focuses on controlling physical access to systems, devices, and facilities where FCI or CUI is stored or processed.

11. Risk Assessment (RA)

Requires organizations to periodically identify, analyze, and mitigate risks to organizational operations and assets.

12. Security Assessment (CA)

Involves regularly evaluating the effectiveness of security controls and addressing any identified weaknesses.

13. System and Communications Protection (SC)

Covers securing communications and network boundaries to prevent unauthorized access or data leaks.

14. System and Information Integrity (SI)

Ensures timely detection, reporting, and correction of system flaws and protection against malicious code and unauthorized activities.

How can Scrut simplify CMMC compliance?

Scrut makes compliance across all CMMC levels more manageable and transparent. The platform automatically maps your existing security data to NIST SP 800-171 controls, providing real-time visibility into your compliance posture and reducing manual work. 

It also generates key documentation such as the System Security Plan (SSP) and required policies tailored to your environment, cutting down on the time and cost of external consulting.

During audits, Scrut streamlines evidence management, organizing and sharing artifacts with Certified Third-Party Assessment Organizations (C3PAOs) to speed up reviews. For ongoing compliance, it highlights and prioritizes remediation tasks, helping teams address critical gaps efficiently and maintain readiness year-round.

FAQs

What is the difference between CMMC 1.0 and CMMC 2.0?

CMMC 1.0 and CMMC 2.0 differ primarily in structure and approach. CMMC 1.0 originally included five levels, each with distinct and complex control requirements. CMMC 2.0 simplified the structure to three levels, Foundational, Advanced, and Expert, while aligning more closely with NIST standards. It also introduced self-assessments for certain levels, reduced redundancy, and added flexibility through limited use of Plans of Action and Milestones (POA&Ms).

How did DFARS clauses introduce CMMC?

The Defense Federal Acquisition Regulation Supplement (DFARS) clauses, specifically DFARS 252.204-7012, 7019, and 7020, established cybersecurity requirements for Defense Industrial Base (DIB) contractors. These clauses require compliance with NIST SP 800-171 and laid the foundation for CMMC as a formal verification mechanism to ensure contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

How are NIST SP 800-171 and CMMC related?

CMMC Level 2 directly maps to all 110 controls in NIST SP 800-171, which define the baseline for safeguarding CUI. In essence, CMMC builds upon NIST by introducing a verification and certification component to ensure organizations not only implement but also maintain these controls effectively.

What is the overall cost of CMMC compliance?

The cost of achieving CMMC compliance varies depending on the organization’s current cybersecurity maturity, the level of certification required, and whether third-party assessments are necessary. Level 1 self-assessments are typically low-cost, while Level 2 third-party assessments can range from several thousand to tens of thousands of dollars, depending on the environment’s complexity.

Larger organizations with multiple systems handling CUI or higher-level requirements (e.g., Level 3) generally face higher implementation and maintenance costs due to broader control coverage and stricter validation.

What are the common requirements that organizations fail in?

Organizations often struggle with access control documentation, multi-factor authentication setup, timely patch management, and maintaining an updated System Security Plan (SSP). Another frequent challenge is incomplete evidence collection, especially during third-party assessments, where lack of traceable documentation can lead to compliance gaps.

What are the consequences of non-compliance in CMMC?

Non-compliance can lead to serious consequences, including ineligibility for Department of Defense (DoD) contracts, suspension from the bidding process, or termination of existing contracts. Beyond contractual risks, non-compliance also exposes organizations to potential data breaches, reputational damage, and loss of trust within the DIB ecosystem.

Liked the post? Share on:
Susmita Joseph

Susmita Joseph is a cybersecurity and compliance enthusiast with a passion for simplifying complex topics for businesses of all sizes. With a keen interest in AI, she enjoys writing about its impact on GRC and cybersecurity, focusing on how it is reshaping the industry.

Authored by
Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Compliance Essentials
Essential Guide to Navigating Compliance Audits
Scrut Updates
Risk Grustlers EP 18 | Bridging the security-dev divide
SOC 2
Compliance Essentials
Risk Management
Trust Management
Cloud Security
SOC 2 and your security posture: A CISO's perspective

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.