Frequently Asked Questions
CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
Overview of CMMC 2.0 Model
The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.
In alignment with section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.
Key changes incorporated under the CMMC 2.0 framework
With the implementation of CMMC 2.0, the Department intends to introduce the following changes to the CMMC Model relative to CMMC 1.0:
- 5 increasingly progressive levels from Basic to Advanced
- Levels 2 and 4 intended as transition stages between Levels 1, 3, and 5
- 3 increasingly progressive levels:
- Foundational / Level 1 (same as previous level 1)
- Advanced / Level 2 (previous level 3)
- Expert / Level 3 (previous level 5)
Requirements at Each Level
- Requirements include cybersecurity standards and maturity processes at each level
- Cybersecurity standards consist of certain requirements from NIST SP 800-171 as well as CMMC-unique standards
- Eliminates all maturity processes
- Eliminates all CMMC unique security practices:
- Advanced / Level 2 will mirror NIST SP 800-171 (110 security practices)
- Expert / Level 3 will be based on a subset of NIST SP 800-172 requirements
The Department intends to post the CMMC 2.0 model for Levels 1 and 2, their associated Assessment Guides, and scoping guidance to this website in the coming weeks for informational purposes. Level 3 information will likewise be posted as it becomes available.
As a result of the alignment of CMMC to NIST standards, the Department’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.