Understanding the CMMC 2.0 Framework

CMMC is a certification program created by the Department of Defense (DoD) that reviews your organization’s cybersecurity.

If you haven’t heard about the Cybersecurity Maturity Model Certification (CMMC), chances are, you’re about to. 

A certification that’s gaining “must” status for organizations of all types, the latest iteration of this certification – CMMC 2.0 – is aimed at companies working with government entities.  

That means if your organization is pursuing government contracts, you’ll be expected to meet CMMC 2.0 parameters. To be sure, CMMC 2.0 compliance requirements are no easy thing to meet. But when you’re compliant, it means your organization meets some of the most stringent cybersecurity regulations out there. 

In this article, we’ll look at:

  • What’s CMMC 2.0
  • What it means for you
  • CMMC 2.0 levels

What is CMMC 2.0 & Why it Matters

CMMC is a certification program created by the Department of Defense (DoD) that reviews your organization’s cybersecurity, and provides guidelines based on the three maturity levels of CMMC compliance. Because CMMC is constantly changing, and new rules are being created, one of the best ways to stay informed is by visiting the official DoD website for CMMC here

The benefits to CMMC may not be immediately clear due to the consistent changes to your work environment. From the start of your CMMC journey, your organization is given a score. As you implement the controls, your score will increase.

Your CMMC score is similar to a credit score. It’s not easy to build and quick to drop, but the benefits of having a high score will pay for itself. If your compliance score is too low, your company won't be able to do any business with the government. Not only that, your company will be vulnerable to cyberattacks. 

A Look at the CMMC 2.0 Levels

Prior to November 2021, the CMMC framework consisted of five levels. In efforts to make it easier to be CMMC compliant, the DoD condensed the levels to three:

Level 1 - Foundational
Level 2 - Advanced
Level 3 - Expert 

CMMC compliance can be tricky. However, partnering with a CMMC consultant can take the guesswork out of something that is relatively new, and constantly evolving. Contact us to start your customized CMMC roadmap! 

Level 1 - Foundational 

The first stop of many on the long road to being CMMC compliant. The foundational layer, AKA Level 1, is the starting point comprising basic cybersecurity practices that are easier to implement. The purpose of the foundational layer is to ensure that organizations have fundamental security measures and to protect sensitive information. 

This layer consists of 17 cybersecurity practices that come from the National Institute of Standards and Technology (NIST) Special Publication 800-171. A few examples of the NIST cybersecurity practices you’ll be expected to employ are: 

  • Identify
  • Protect
  • Detect

Further Reading: For a more in-depth breakdown, check out our blog: What Is a NIST 800-171 Compliance Audit


Level 2 - Advanced 

The second level of CMMC 2.0 (or the “advanced” level) is directed at organizations working with controlled unclassified information (CUI). This level is similar to level 3 of CMMC 1.0, with the key difference being it’s missing the maturity processes and practices that were originally specific to CMMC. 

Level 2 uses 14 different control types and 110 security controls from the NIST special publication 800-171. Similar to level 1, the advanced layer is designed to keep sensitive information safe.


Level 3 - Expert

The final level of CMMC 2.0 is the expert level. The intent of level 3 is to focus on minimizing risks from Advanced Persistent Threats (APTs). In addition to APTs, level 3 is fit for organizations that work with high priority CUIs, or data that is critical to our national security. 

As of this writing, the DoD is still working towards developing specific requirements for this level, but it’s safe to assume that this level is comparable to level 5 of CMMC 1.0. Meaning, we can expect level 3 to be based on 110 controls from NIST 800-171 & NIST 800-172. 

Getting an Expert Opinion 

Prior to the release of CMMC 2.0, all DoD contractors were required to have a third-party assessment or a CMMC audit to meet compliance. However, with CMMC 2.0 that is no longer the case. Now, requirements are solely based on how critical your information is to national security. 

If your business works with the DoD, or any other government entity, CMMC compliance is in your near future. The length of time it takes to be CMMC compliant after a CMMC audit can be months to even years of changes to your organization. 

For more information about CMMC 2.0 or NIST 800-171, reach out to our team at Omnis!

Similar posts