Understanding the CMMC 2.0 Framework & Levels

The DoD has recently simplified their cybersecurity certification in what they are calling CMMC 2.0. Find out more about the CMMC 2.0 framework and levels.

The DoD’s Cybersecurity Certification Model

Cybersecurity Maturity Model Certification, often referred to as CMMC, is a program designed by the Department of Defense. It is a standard and certification model for defense contractors handling sensitive agency information.

Before launch, DoD developed many iterations of the program to ensure contractors follow a unifying approach to protect sensitive defense information. Additionally, the standards cover how contractors must handle controlled unclassified data.

Importance of Cybersecurity Maturity Model Certification

Cybercrimes threaten the Defense Industrial Base, a network of organizations, universities, and companies that do business with the Department of Defense. Each entity may have a role in designing and producing military weapons systems.

Companies suffer trillions of dollars in losses in the private sector due to cybercrime. The DoD is also susceptible to cybercrime with a breach being particularly threatening to national security due to the data access of each entity.

Cybercriminals and state-sponsored actors are nonstop in cyber warfare activities aimed at breaching security measures. Therefore, all contractors must meet a basic level of cybersecurity measures.

With CMMC, the department can ensure all contractors keep information secure by following the same requirements as regular government staff.

Being a certified contractor gives your organization a competitive advantage over hundreds of thousands of suppliers. In addition, for multi-year contracts, you are better positioned to secure a contract after responding to an RFP.

Proactively seeking certification strengthens your position in other ways beyond contracts and revenue. For example, achieving certification status means your organization is prepared to fight cybersecurity attacks and minimize damages caused by data breaches.

You are protecting your organization’s reputation outside of working for the Defense Department.

The CMMC Framework

A measure of whether defense contractors are adequately protecting sensitive information is with the CMMC framework. In particular, contractors must implement a set of framework components to meet a basic level of certification:

  • Domains – a group of similar cybersecurity practices relevant to a specified CMMC level
  • Practices – a specific technical security control required to achieve certification at a defined CMMC level
  • Capabilities – not included in CMMC 2.0
  • Processes – not included in CMMC 2.0

Ensuring this occurs requires following a maturity model. Compliance solutions must be comprehensive and scalable in demonstrating security measures. Furthermore, achieving each maturity level depends on the verifiable implementation of the vital components.

Advancement occurs when defense contractors complete certification requirements applicable to the domains at each level.


The model structure that guides CMMC for organizations should improve cybersecurity measures. Currently, CMMC uses 14 domains that provide the technical capabilities to help you achieve and maintain certification status.

  • Access Control – system access requirements, control remote and internal system access, limited authorized users, and protocols to accessing data
  • Audit and Accountability – audit requirements, perform regular audits, protect audit information, regular review, and management of audit logs
  • Awareness and Training – conduct security awareness training and activities
  • Configuration Management – establish configuration baselines, configuration, and change management
  • Identification and Authentication – authenticate entities with access to sensitive data
  • Incident Response – plan response for security incidents after detection, test response to incidents, track reports of events, development and implementation of response after an incident, and post-incident review
  • Maintenance – manage maintenance
  • Media Protection – identify, mark, protect and control media, sanitization process before disposing of media, media protection during transport from one location to another
  • Personnel Security – screen employees and protect controlled unclassified information during employee actions
  • Physical Protection – limit physical access to where sensitive information is kept
  • Risk Assessment – identify, evaluate and manage vulnerabilities, and manage risk within the supply chain
  • Security Assessment – development and management of a system security plan, definition and management of security controls, and perform code reviews
  • System Communications Protection – definition of security requirements communications and systems, system boundaries to control communication flow
  • System Information Integrity – identification and management of flaws within an information system, identification of malicious content, system and network monitoring, and advanced email protections

CMMC Levels

The National Institute of Standards and Technology, NIST, is the former framework for managing the risks of cyber attacks. Cybersecurity Maturity Model Certification replaces parts of NIST with a 3-level approach. Achieving standards at the lower level must occur before advancing to the next one, and requirements are based on the type of data a contractor manages.

Level 1 (Foundational)

Also called basic cyber hygiene, 17 practices lay the foundation for how contractors must perform basic actions. Securing cyber interactions may include:

  • Antivirus on devices
  • Creating strong passwords
  • Requiring multi-factor authentication
  • Maintaining a secure Wi-Fi connection
  • Limit access only to authorized users
  • Privacy agreements for employees handling federal contract information

If your organization wants to meet these requirements, you will not need a third-party certification. Instead, the agency will require you to specify the technology, facility, employees, and any external providers that will have access to the information.

In essence, you must self-certify yearly under a defense contract that the basic safeguarding requirements are being met.

Level 2 (Advanced)

Receiving certification at this advanced stage means organizations are documenting cybersecurity measures. Mirroring NIST Special Publication 800-171 requirements, these measures align with the 110 practices and 14 domains to protect controlled unclassified information.

Some considerations for having a solid cybersecurity approach include:

  • DNS filtering
  • Data backup and restoration
  • Real-time monitoring
  • Ongoing risk assessments
  • Spam protection

To achieve this, you must first identify any gaps that could hinder compliance. For example, you may need to assess existing practices and speak with employees who will work with unclassified information.

Documenting what is needed can help to guide your efforts to ensure CMMC 2.0 readiness. Additionally, third-party assessments by accredited entities will be required every three years to maintain certification.

Level 3 (Expert)

In addition to following NIST 800-171, your organization is responsible for creating and maintaining a plan for safeguarding government information. This expert approach is for defense contractors that work with controlled unclassified information on high-priority programs.

Comparable to the previous CMMC model, specific security requirements are still being developed. However, the Defense Department indicates requirements will cover the 110 practices in NIST 800-171 and a subset of 800-172. A DIBCAC audit is also necessary to achieve compliance.

These resources will help to inform goals, resources, training, and all stakeholders involved with the sensitive data. Having a solid infrastructure should not interfere with the service you will provide the agency.

Certification Process

For companies without in-depth knowledge of the CMMC process, it may be beneficial to work with a Registered Provider Organization (RPO) that can deliver pre-gap reviews and strategies for remediation. The following eight steps can ensure that your organization achieves CMMC certification status as a defense contractor with DoD. 

Assessment of Current Security Processes

Follow NIST 800-172 standards to conduct an assessment of your security protocols. Then, develop and implement a security plan for managing your network and systems.

Make Necessary Improvements

Use the results from the assessment to create a plan of action. Include milestones and target dates to ensure your organization achieves the maximum score for certification. Use the Supplier Performance Risk System to submit your organization’s score.

Identify Scope

Whether it is a single department, a specific program, or the entire organization, determine where and how the sensitive information will be used.

Obtain a Third-Party Assessment

It is recommended that you use an outside entity (C3PAO) to conduct a preliminary assessment to help identify any existing gaps in your IT security processes. 

Fix Gap Findings 

Use the analysis from a third-party professional to implement necessary changes to ensure your organization meets certification standards.

Get a Compliance Audit 

Once you identify and correct information security gaps, schedule a compliance audit before scheduling the CMMC assessment.

Complete Assessment

Be prepared for a four-phase CMMC assessment that usually involves:

  • Pre-assessment planning – gather initial scope details, intake form, assessment team introduction, and assessment plan
  • Assessment meeting – analysis and review of CMMC practices and discuss preliminary findings
  • Post-assessment reporting – results from the assessment team along with a quality assurance review that results in approval or denial
  • Remediation plan for security shortcomings – if approved, you receive 90 days to correct areas where your organization falls short of target performance standards

Receive CMMC Certification 

If all goes as planned, your final step is receiving a certification decision as a defense contractor. You will be notified by the accreditation body if your organization will receive a three-year CMMC certification.

Meet CMMC Requirements With Cybersecurity Consulting Services

Satisfying the assessment requirements set by DoD is crucial to your organization. In addition, you need to demonstrate that your cybersecurity protocols align with the importance of keeping sensitive government information safe and secure.

Meriplex offers consulting services to ensure you meet each level within the CMMC framework. We help you pinpoint weaknesses. Moreover, we provide effective solutions to strengthen your protection against cyber attacks. Contact us today to learn more.