Cybersecurity Maturity Model Certification (CMMC) 2.0

Overview

CMMC 2.0 is a comprehensive framework established by the U.S. Department of Defense to verify and certify that Defense Industrial Base (DIB) contractors and subcontractors have implemented required cybersecurity safeguards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Current Version: CMMC 2.0 Version 2.13 (September 2024)
Official Regulation: 32 CFR Part 170
DFARS Integration: DFARS 252.204-7021
Implementation Date: November 10, 2025

Program History

CMMC 1.0 (Initial Version)

• Five-level certification structure


• More complex assessment requirements


• Higher costs for industry

Transition to CMMC 2.0

• Announcement: November 17, 2021 (Federal Register)


• Rationale: Reduce costs, particularly for small businesses; increase trust in assessment process


• Final Rule Published: October 15, 2024 (89 FR 83092)


• Final Rule Effective: December 16, 2024


• DFARS Implementation: November 10, 2025

Certification Levels Overview

Level	Focus	Assessment Type	Frequency	Practices
-------	-------	-----------------	-----------	-----------
Level 1	FCI Protection	Annual Self-Assessment	Annual	17 practices (FAR 52.204-21)
Level 2	CUI Protection	C3PAO or Self-Assessment	Triennial	110 practices (NIST SP 800-171)
Level 3	APT Mitigation	Government (DIBCAC)	Triennial	134 practices (NIST 800-171 + 800-172)

Level 1: Foundational Cybersecurity (FCI Protection)

Purpose and Scope

CMMC Level 1 is designed for contractors processing, storing, or transmitting Federal Contract Information (FCI) on contractor-owned information systems.

Security Practices

• Total Practices: 17 security practices


• Standard: Based on FAR Clause 52.204-21


• Scope: All assets processing, storing, or transmitting FCI

Assessment Requirements

• Assessment Type: Annual Self-Assessment


• Frequency: Required annually


• No C3PAO Required: Organizations self-assess without external assessors


• Passing Criteria: Achieve MET or NOT APPLICABLE on all 17 practices

Key Characteristics

• Low cost implementation for small businesses


• Basic cyber hygiene focus


• Minimal third-party involvement

Level 2: Advanced Cybersecurity (CUI Protection)

Purpose and Scope

CMMC Level 2 for contractors processing, storing, or transmitting Controlled Unclassified Information (CUI) on contractor-owned information systems.

Security Practices

• Total Practices: 110 security practices


• Standard: NIST Special Publication 800-171, Revision 2


• Assessment Methodology: Based on NIST SP 800-171A

Assessment Requirements

Type 1: Self-Assessment (Level 2 Self)

• Contractor performs assessment internally


• For non-critical contracts handling CUI


• Annual affirmations required

Type 2: Certification Assessment by C3PAO (Level 2 C3PAO)

• Performed by Certified Third-Party Assessment Organization


• Required for critical contracts handling CUI


• Third-party verification and validation


• Higher assurance level

Assessment Frequency:

• Initial assessment required for contract award


• Recertification every 3 years (triennial)


• Annual affirmations required between assessments

Passing Criteria and Scoring

• Minimum Passing Score: 80 percent (80/110 requirements)


• Scoring Framework: Security requirements valued at 1, 3, or 5 points


• Scoring Range: -203 to 110 points


• Minimum Passing Score: 88 points (88/110)

Conditional Status:

• Contractors may receive Conditional CMMC Level 2 Status when achieving minimum 80/110


• All NOT MET requirements must be remedied within 180 days


• Requirements placed on Plan of Action and Milestones (POA&M)

C3PAO (Certified Third-Party Assessment Organization)

Definition: Organizations authorized/accredited to conduct CMMC Level 2 Certification Assessments

Accreditation Requirements:

• Compliance with ISO/IEC 17020:2012 standard


• Oversight by CMMC Accreditation Body (Cyber AB)


• Maintain quality management systems

NIST SP 800-171 R2 Control Families (14 families)

1. Access Control (AC)


2. Awareness and Training (AT)


3. Audit and Accountability (AU)


4. Security Assessment and Authorization (CA)


5. Configuration Management (CM)


6. Identification and Authentication (IA)


7. Incident Response (IR)


8. Maintenance (MA)


9. Media Protection (MP)


10. Personnel Security (PS)


11. System and Communications Protection (SC)


12. System and Information Integrity (SI)


13. Supply Chain Risk Management (SR)


14. System Development and Acquisition (SA)

Level 3: Expert Cybersecurity (APT Mitigation)

Purpose and Scope

CMMC Level 3 is designed for contractors handling critical or high-value CUI requiring protection against Advanced Persistent Threats (APTs). Applies to approximately 1,500 DIB companies.

Security Practices

• Total Practices: 134 security practices

- 110 practices from NIST SP 800-171 R2 (base)
- 24 additional practices from NIST SP 800-172 (enhanced)

Assessment Requirements

• Assessment Type: Government-led Assessment by DIBCAC


• Conducting Organization: Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) only


• Frequency: Triennial (every 3 years)


• Prerequisite: Must have achieved Final Level 2 CMMC Status first

Passing Criteria

• Minimum Achievement: All Level 3 requirements must be met (MET or NOT APPLICABLE)


• Status: Final Level 3 (DIBCAC)


• No intermediate status available

NIST SP 800-172 Enhanced Requirements

The 24 additional requirements focus on:

• Advanced threat protection


• Zero-trust architecture principles


• Incident response enhancements


• Supply chain risk management


• Advanced detection and response capabilities


• Enhanced monitoring and logging


• Advanced cryptography

Assessment Structure

Assessment Types

Level 1 (Self):

• Contractor self-assessment


• Annual frequency


• No third-party assessor required

Level 2 (Self):

• Contractor self-assessment


• Triennial with annual affirmations


• Non-critical programs

Level 2 (C3PAO):

• Third-party certification assessment


• Triennial with annual affirmations


• Critical programs

Level 3 (DIBCAC):

• Government-conducted assessment


• Triennial with annual affirmations


• Critical/high-value CUI only

DFARS Integration

Primary DFARS Clauses

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

• Establishes NIST SP 800-171 R2 requirements


• 72-hour cyber incident reporting requirement


• Applies to all contracts involving CUI

DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements

• Effective Date: October 1, 2025 for most acquisitions


• Requirement: Contractors must have current CMMC certificate at level specified in contract


• Contract Ineligibility: Contracting officers cannot award contracts without required CMMC certificate

Flow-Down Requirements

• CMMC requirements flow down through entire supply chain


• Subcontractors receiving FCI must meet Level 1 minimum


• Subcontractors receiving CUI must meet Level 2 minimum


• If prime requires Level 3, subcontractors require minimum Level 2

Scope: Defense Industrial Base (DIB)

Who Must Comply

Primary Applicability:

• All DoD contractors and subcontractors


• Organizations bidding on DoD contracts


• Prime contractors at any tier


• Subcontractors at any depth in supply chain


• Small businesses, large businesses, all sizes

Triggering Factor:

1. Federal Contract Information (FCI) → Level 1 minimum


2. Controlled Unclassified Information (CUI) → Level 2 minimum


3. Critical/High-value CUI → Level 3 requirement

Massachusetts Defense Contractors

Major Massachusetts-Based Prime Contractors:

• Raytheon Technologies Corporation (Waltham, MA)


• General Dynamics Corporation (Dedham, MA)


• Northrop Grumman (New England facilities)


• Textron Systems Corporation


• Leidos Holdings, Inc.


• SAIC (Science Applications International Corporation)

Supply Chain Impact:

• Massachusetts has significant tier-2 and tier-3 subcontractor base


• Software development companies


• Component manufacturers


• Engineering and design firms


• Test and evaluation facilities


• Research institutions (MIT, Harvard, UMass with DoD contracts)

Enforcement: Contract Requirement and Phased Rollout

Enforcement Authority

Contracting Officer Authority:

• Not making contract awards to non-compliant contractors


• Not exercising contract options without valid certification


• Not extending contract performance periods without current CMMC status

Consequence of Non-Compliance:

• Contract ineligibility


• Unable to bid on CMMC-required contracts


• Loss of existing contract options/extensions

Phased Implementation Schedule

Official Start Date: November 10, 2025

4-Phase Implementation over 3 Years (November 10, 2025 - November 10, 2028):

PHASE 1: Self-Assessment Focus (Months 1-12)

• Duration: November 10, 2025 - November 9, 2026


• Primary Activity: CMMC Level 1 and Level 2 self-assessments


• Cost: Lower cost phase focused on internal assessments

PHASE 2: Level 2 Certification Assessments (Months 13-24)

• Duration: November 10, 2026 - November 9, 2027


• Primary Activity: C3PAO-led Level 2 Certification Assessments


• Cost: Higher cost due to third-party assessments

PHASE 3: Level 3 Implementation (Months 25-36)

• Duration: November 10, 2027 - November 9, 2028


• Primary Activity: DIBCAC Level 3 assessments for critical/high-value CUI


• Scope: ~1,500 DIB companies with critical CUI

PHASE 4: Full Implementation (Post-November 2028)

• Status: Complete implementation of all CMMC requirements


• Steady State: Ongoing compliance with triennial assessment requirements

Supplier Performance Risk System (SPRS)

SPRS Role:

• Online system for contractor affirmations


• Contractor updates with current CMMC status


• Verification source for contracting officers


• Tracks certification validity and renewal dates

Massachusetts Perspective

Massachusetts Defense Industry Overview

Massachusetts has one of the nation's largest defense industrial bases with major prime contractors, technology companies, and specialized suppliers.

Applicability to Massachusetts Contractors

Universal Applicability:

• CMMC is a federal requirement


• Applies to all DoD contractors regardless of location


• Massachusetts contractors have no special exemptions


• Equal application across all states

Contractual Trigger: Any contractor receiving DoD contract involving FCI/CUI

Massachusetts Supply Chain Impact

Multi-Tier Flowdown:

• Raytheon (Prime) → Tier-1 MA Suppliers → Tier-2 MA Subcontractors


• General Dynamics → MA business units → MA regional suppliers


• Out-of-state primes → MA subcontractors

Compliance Costs:

• Annual self-assessment execution


• Triennial third-party assessments (Level 2, Level 3)


• Compliance infrastructure development


• Remediation of security gaps


• Training and awareness programs

Related Frameworks

NIST SP 800-171 (NIST SP 800-171 R2)

Official Title: "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations"

• Forms basis for CMMC Level 2 (110 practices)


• 14 security requirement families


• Mandatory for DoD contractors handling CUI

NIST SP 800-172

Official Title: "Enhanced Security Requirements for Protecting Controlled Unclassified Information"

• Forms basis for CMMC Level 3 additional requirements (24 practices)


• APT defense focus


• Supplements NIST SP 800-171

DFARS 252.204-7012

• Safeguarding Covered Defense Information


• Cyber Incident Reporting (72-hour requirement)


• Implements NIST SP 800-171 requirement

FAR 52.204-21

• Basic Safeguarding of Covered Contractor Information Systems


• 15 security practices (basis for Level 1)

Effective Dates and Timeline

Final Rule Publication

• CMMC Program Final Rule: October 15, 2024 (89 FR 83092)


• Final Rule Effective: December 16, 2024


• DFARS Implementing Rules: September 10, 2025


• Implementation Begins: November 10, 2025

Key Milestone Dates

• December 16, 2024: Final Rule Effective (32 CFR Part 170)


• November 10, 2025: Implementation begins; DFARS 252.204-7021 mandatory


• November 9, 2026: Phase 1 ends / Phase 2 begins


• November 9, 2027: Phase 2 ends / Phase 3 begins


• November 9, 2028: Phase 3 ends / Phase 4 begins (full implementation)

Certification Validity and Renewal

Level 1 (Self-Assessment):

• Valid for 12 months


• Annual reassessment required

Level 2:

• Initial valid for contract award


• Validity: 3 years (triennial)


• Annual affirmations required between assessments

Level 3:

• Initial valid for contract award


• Validity: 3 years (triennial)


• Annual affirmations required


• Must maintain current Level 2 Final certification

Key Takeaways

1. Comprehensive Verification: CMMC verifies implementation of cybersecurity controls across Defense Industrial Base


2. Tiered Approach: Three levels (1-3) based on information sensitivity and threat environment


3. Phased Implementation: 4-phase rollout over 3 years provides industry time to prepare


4. Third-Party Assessment: Level 2 critical programs and Level 3 require independent assessment


5. Supply Chain Applicability: Requirements flow down through entire supply chain


6. Massachusetts Impact: Significant impact on MA defense contractors and extensive supply chain


7. Contract Requirement: CMMC becomes mandatory for contract award, option exercise, and performance