What are the CMMC 2.0 requirements?

CMMC 2.0 requirements consist of cybersecurity practices organized across three levels: Level 1 (basic FCI protections), Level 2 (advanced CUI protections aligned with NIST SP 800-171), and Level 3 (expert-level controls aligned with NIST SP 800-172).

What is the difference between Level 1, Level 2, and Level 3 in CMMC 2.0?

Level 1 covers basic safeguarding of Federal Contract Information (FCI). Level 2 applies to Controlled Unclassified Information (CUI) and requires implementing 110 practices with a third-party assessment. Level 3 is the most advanced, adding 35 enhanced practices from NIST SP 800-172 and requires a government-led assessment.

Do all contractors need a third-party assessment for CMMC 2.0?

Not all contractors. Level 1 requires only an annual self-assessment. Most Level 2 organizations require a third-party assessment by a C3PAO, while Level 3 requires a government-led assessment.

How can my organization prepare for CMMC 2.0 compliance?

Organizations can prepare by conducting readiness assessments, implementing NIST SP 800-171 and SP 800-172 practices, documenting cybersecurity processes, and working with a C3PAO or expert consultant like RSI Security to guide the certification process.

What is the role of NIST SP 800-171 and SP 800-172 in CMMC 2.0?

NIST SP 800-171 defines 110 cybersecurity practices that protect CUI, forming the foundation for Level 2. NIST SP 800-172 adds 35 enhanced security practices for advanced protection, forming the foundation for Level 3.

Why is CMMC 2.0 important for DoD contractors?

CMMC 2.0 ensures that contractors handling FCI and CUI maintain adequate cybersecurity measures. Compliance is required to bid on and secure DoD contracts, protecting sensitive government data and minimizing risk.

A Beginner’s Guide to the CMMC 2.0 Requirements

Q: What is CMMC 2.0?

CMMC 2.0 is the Cybersecurity Maturity Model Certification framework developed by the Department of Defense (DoD) to protect sensitive government data handled by contractors and vendors.

RSI Security

3 days ago

If your organization plans to work with the Department of Defense (DoD), understanding CMMC 2.0 requirements is the first step toward achieving compliance. These requirements are designed to protect sensitive federal information and are organized into three maturity levels, each with increasing cybersecurity expectations:

Level 1 – Foundational
Focuses on basic safeguarding practices to protect Federal Contract Information (FCI).

Level 2 – Advanced
Includes more detailed requirements aligned with NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

Level 3 – Expert
Represents the highest maturity level, emphasizing advanced cybersecurity practices and alignment with DoD’s most stringent security requirements. This beginner’s guide explains what each CMMC 2.0 level means and outlines how organizations can start preparing for compliance.

Overview of the Regulatory Context

The Cybersecurity Maturity Model Certification (CMMC 2.0) is a regulatory framework developed by the Department of Defense (DoD) to protect sensitive government data. It applies to contractors, vendors, and other stakeholders within the Defense Industrial Base (DIB) and requires organizations to meet defined CMMC 2.0 requirements before handling certain types of federal information.

At its core, CMMC 2.0 is designed to safeguard two primary data types:

Federal Contract Information (FCI)
Information provided by or generated for the government that is not intended for public release.

Controlled Unclassified Information (CUI)
Sensitive but unclassified data that requires stronger cybersecurity protections.

CMMC 2.0 builds on established standards from the National Institute of Standards and Technology (NIST), including:

NIST SP 800-171
Defines security requirements for protecting CUI from unauthorized access.

NIST SP 800-172
Introduces enhanced controls to defend against advanced cyber threats, such as Advanced Persistent Threats (APTs).

Originally announced in November 2021, CMMC 2.0 has undergone an extended rollout period. Once fully implemented, compliance with CMMC 2.0 requirements will be mandatory for applicable DoD contracts, making early preparation critical for organizations across the defense supply chain.

CMMC 2.0 Level 1 Requirements

CMMC Level 1 is the most basic tier of the CMMC 2.0 requirements. It applies to organizations that handle Federal Contract Information (FCI) only and operate in lower-risk environments. This level typically affects contractors performing limited-scope work with minimal access to sensitive systems or data.

To meet CMMC Level 1 requirements, organizations must implement 15 foundational cybersecurity practices derived from NIST SP 800-171. These practices focus on protecting FCI and serve as the baseline for more advanced security controls at higher CMMC levels.

Common examples of Level 1 practices include:

Using strong, regularly updated passwords
Limiting system access to authorized users
Protecting data during transmission and storage

Unlike higher maturity levels, CMMC Level 1 does not require third-party certification. Organizations may complete annual self-assessments and submit the results directly to the DoD. Maintaining accurate documentation and completing these assessments each year is critical for demonstrating compliance and remaining eligible for DoD contracts.

CMMC 2.0 Level 2 Requirements

CMMC Level 2 represents a significant step up from Level 1 and is widely considered the core of the CMMC 2.0 requirements. It applies to organizations that handle Controlled Unclassified Information (CUI), particularly in environments with elevated cybersecurity risk.

At this level, organizations must fully implement 110 security practices aligned with NIST SP 800-171, organized across 14 control families:

Access Control (AC): 22 practices
Awareness and Training (AT): 3 practices
Audit and Accountability (AU): 9 practices
Configuration Management (CM): 9 practices
Identification and Authentication (IA): 11 practices
Incident Response (IR): 3 practices
Maintenance (MA): 6 practices
Media Protection (MP): 9 practices
Personnel Security (PS): 2 practices
Physical Protection (PE): 6 practices
Risk Assessment (RA): 3 practices
Security Assessment (CA): 4 practices
System and Communications Protection (SC): 16 practices
System and Information Integrity (SI): 7 practices

These CMMC Level 2 requirements go well beyond basic FCI protections and are designed to ensure that CUI is safeguarded against more advanced and persistent cyber threats.

Assessment at Level 2

Assessment at CMMC Level 2 is significantly more rigorous than at Level 1. Most organizations are required to undergo a third-party assessment performed by a Certified Third-Party Assessment Organization (C3PAO) accredited by Cyber AB.

Some lower-risk organizations may be eligible for self-assessment, but the majority of contractors handling CUI will require an independent review.

Assessment cadence includes:

Third-party assessment: Every three years
Annual requirement: Yearly self-affirmation to maintain compliance

Because of its scope and rigor, Level 2 represents a substantial investment in both cybersecurity controls and compliance management. However, it is also the most common CMMC requirement across DoD contracts, making it a critical focus area for defense contractors.

CMMC 2.0 Level 3 Requirements

CMMC Level 3 represents the most advanced stage of the CMMC 2.0 requirements, intended for contractors working on the Department of Defense’s most sensitive programs. It applies to organizations that manage large volumes of Controlled Unclassified Information (CUI) and operate in environments threatened by Advanced Persistent Threats (APTs).

Level 3 builds on the security practices required at Level 2 by incorporating additional, enhanced requirements from NIST SP 800-172. While the DoD has not finalized the total number of required controls, NIST SP 800-172 outlines 35 enhanced practices across the same 14 control families used in NIST SP 800-171. In practice, this means Level 3 contractors could be responsible for up to 145 total security requirements (110 from Level 2 + 35 enhanced controls).

Assessment at Level 3

Organizations seeking CMMC Level 3 compliance must undergo a government-led triennial assessment. The DoD is still finalizing the agencies and detailed processes for these evaluations, but contractors should anticipate a more rigorous and resource-intensive assessment than required for Level 1 or Level 2.

Key takeaway: Achieving Level 3 compliance demands significant cybersecurity maturity and organizational resources. Contractors targeting Level 3 should begin aligning their systems with NIST SP 800-172 controls now to avoid delays once the requirements are fully enforced.

Achieve and Maintain CMMC 2.0 Compliance

Securing future Department of Defense (DoD) contracts depends on meeting the appropriate CMMC 2.0 requirements. For organizations handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), this often means achieving at least Level 2 compliance, typically through an independent assessment performed by a Certified Third-Party Assessment Organization (C3PAO).

As a trusted C3PAO, RSI Security has been guiding defense contractors toward compliance long before the introduction of the CMMC framework. Our services include:

Readiness Assessments: Identify and close compliance gaps before formal evaluation
Implementation Support: Guidance for implementing NIST SP 800-171 and CMMC 2.0 practices
Assessment Guidance: Ensure smooth certification and alignment with DoD requirements

Partnering with RSI Security is more than just passing an audit, it’s about building a sustainable cybersecurity program that keeps your contracts secure and your organization competitive in the defense supply chain.

Take the next step: Contact RSI Security today to align your systems with the latest CMMC 2.0 requirements and secure your organization’s future with the DoD.