CMMC Framework

CMMC 2.0 Maturity Model Explained

Understand the three CMMC levels, 14 security domains, and assessment requirements that determine your organization's path to certification and contract eligibility.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience
Schedule Free Consultation Call 919-348-4912
Three Levels

CMMC 2.0 Maturity Levels

Each level builds on the one below it, creating a cumulative security posture from basic hygiene to expert-level protections.

L1

Foundational: 17 practices from FAR 52.204-21 for FCI. Annual self-assessment.

L2

Advanced: 110 practices from NIST SP 800-171. C3PAO or self-assessment for CUI.

L3

Expert: 110+ practices including NIST SP 800-172. Government-led DIBCAC assessment.

Key Terms

CMMC Terminology

Essential acronyms and concepts for navigating the CMMC framework.

FCI vs. CUI

FCI is government-provided contract info not meant for public release. CUI requires safeguarding per law or regulation but is not classified.

C3PAO

CMMC Third-Party Assessment Organization authorized by the Cyber AB to conduct Level 2 assessments.

DIBCAC

Defense Industrial Base Cybersecurity Assessment Center conducts government-led Level 3 assessments.

SPRS

Supplier Performance Risk System where contractors post their NIST SP 800-171 self-assessment scores (-203 to 110).

POA&M

Plan of Action and Milestones documenting unimplemented requirements with timelines. Must close within 180 days under CMMC.

APT

Advanced Persistent Threats are sophisticated nation-state adversaries. Level 3 protects CUI against these actors.

Standards

Standards Referenced by CMMC

CMMC consolidates requirements from multiple established frameworks into a single verifiable model.

Core NIST Standards

  • NIST SP 800-171 Rev 2: Protecting CUI in Nonfederal Systems
  • NIST SP 800-172: Enhanced CUI Security Requirements
  • NIST SP 800-53 Rev 5: Security and Privacy Controls
  • NIST Cybersecurity Framework (CSF)

Regulatory Clauses

  • FAR 52.204-21: Basic Safeguarding of Contractor Systems
  • DFARS 252.204-7012, 7019, 7020: Defense Acquisition Supplement
  • CIS Controls v8: Critical Security Controls
  • 32 CFR Part 170: Final CMMC Rule (October 2024)
FAQ

Frequently Asked Questions

How does CMMC 2.0 differ from CMMC 1.0?

CMMC 2.0 reduced the model from five levels to three, eliminated CMMC-unique practices, aligned directly with existing NIST standards, and introduced self-assessment options for Level 1 and some Level 2 programs.

What level do most defense contractors need?

Most contractors handling CUI need Level 2. FCI-only contractors need Level 1. Level 3 is reserved for the highest-priority programs involving the most sensitive CUI categories.

Are CMMC requirements cumulative?

Yes. Level 2 includes all Level 1 practices. Level 3 includes all Level 2 practices plus additional NIST SP 800-172 requirements. Each level builds on the previous one.

What is the relationship between NIST SP 800-171 and CMMC?

CMMC Level 2 maps one-to-one to the 110 security requirements in NIST SP 800-171 Rev 2. CMMC adds the assessment and certification layer that NIST alone does not provide.

Can subcontractors be assessed at a lower level than the prime?

The required level depends on the type of information a subcontractor handles, not the prime's level. FCI-only subcontractors may need only Level 1; CUI handlers need Level 2 regardless.

How does PTG help with CMMC preparation?

As an RPO, PTG provides gap analysis, remediation, SSP development, POA&M management, pre-assessment reviews, and ongoing compliance monitoring.

Related

Explore More

CMMC Certification Services

NIST SP 800-171 Compliance

CMMC for Federal Contractors

CMMC Compliance Guide 2026
Get Started

Understand Your CMMC Level Requirements

Schedule a free consultation with our certified CMMC Registered Practitioners to determine your path to compliance.

Schedule a Consultation Call 919-348-4912