CMMC

Cybersecurity Maturity Model Certification 2.0 (32 CFR Part 170)

CertificationUS DoD

CMMC 2.0 establishes cybersecurity requirements for the Defense Industrial Base, replacing the previous self-attestation model with verified assessments. The final rule (32 CFR Part 170) became effective December 16, 2024, with phased contract rollout from November 2025. Three levels align with NIST SP 800-171 and 800-172, covering approximately 338,000 DoD contractors.

Certification Levels

110

Level 2 Controls

Control Families

Dec 2024

Rule Effective

Who Needs to Comply

Defense Industrial Base (DIB)

DoD prime contractors and subcontractors (~338,000 organisations)
Approximately 68% are small businesses
FCI handling → Level 1 minimum
CUI handling → Level 2 or Level 3
COTS-only contracts exempted (for 3 years from effective date)

Phased Rollout

Phase 1 (Nov 2025): Level 1/2 Self and C3PAO in contracts
Phase 2 (Nov 2026): Expanded Level 2 requirements
Phase 3 (Nov 2027): Level 3 certification introduced
Phase 4 (Nov 2028): Full implementation — all DoD contracts

Key Compliance Areas

Level 1 (17 practices)

Foundational

Protects Federal Contract Information (FCI). 17 practices from FAR 52.204-21. Annual self-assessment only. POA&M not permitted — all controls must be fully implemented.

Level 2 (110 controls)

Advanced

Protects Controlled Unclassified Information (CUI). 110 controls from NIST SP 800-171 Rev 2 across 14 families. Self-assessment or C3PAO certification (3-year validity) depending on CUI priority.

Level 3 (134 controls)

Expert

Protects CUI critical to national security. All 110 NIST 800-171 controls plus 24 additional from NIST SP 800-172. Government-led assessment by DCMA DIBCAC every 3 years.

14 Control Families

NIST SP 800-171 Structure

Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Comms Protection, System & Info Integrity.

How Orizon Helps

Level Determination

Identify which CMMC level is required based on the type of information you handle: FCI (Level 1) or CUI (Level 2/3). Review contract requirements.

NIST 800-171 Gap Assessment

Assess your current security posture against NIST SP 800-171 Rev 2’s 110 controls across 14 families. Generate your SPRS score.

SSP & POA&M Development

Develop your System Security Plan (SSP) documenting how each control is implemented. Create Plans of Action & Milestones for any gaps (Level 2: must achieve 80% minimum).

Control Implementation

Implement required controls: access management, encryption, audit logging, incident response, configuration management, and physical security.

Assessment Preparation

For Level 2 C3PAO assessment: engage a Cyber-AB accredited Third-Party Assessment Organisation. Prepare evidence and documentation for the 3-year certification.

Continuous Compliance

Submit annual affirmations in SPRS. Maintain controls, monitor for changes, and address any POA&M items within the 180-day conditional window.

Official Sources

Assess Your Compliance

Expert guidance for your CMMC compliance journey.

Get Started