CMMC Model

Frequently Asked Questions

How will my organization know what CMMC level is required for a contract?

Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?

Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.

Will prime contractors and subcontractors be required to maintain the same CMMC level?

If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.

Overview of CMMC 2.0 Model

Protected Information

The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.

In alignment with section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.

Key changes incorporated under the CMMC 2.0 framework

With the implementation of CMMC 2.0, the Department intends to introduce the following changes to the CMMC Model relative to CMMC 1.0:


CMMC 1.0

  • 5 increasingly progressive levels from Basic to Advanced
  • Levels 2 and 4 intended as transition stages between Levels 1, 3, and 5

CMMC 2.0

  • 3 increasingly progressive levels:
    • Foundational / Level 1 (same as previous level 1)
    • Advanced / Level 2 (previous level 3)
    • Expert / Level 3 (previous level 5)
Requirements at Each Level

CMMC 1.0

  • Requirements include cybersecurity standards and maturity processes at each level
  • Cybersecurity standards consist of certain requirements from NIST SP 800-171 as well as CMMC-unique standards

CMMC 2.0

  • Eliminates all maturity processes
  • Eliminates all CMMC unique security practices:
    • Advanced / Level 2 will mirror NIST SP 800-171 (110 security practices)
    • Expert / Level 3 will be based on a subset of NIST SP 800-172 requirements

The Department intends to post the CMMC 2.0 model for Levels 1 and 2, their associated Assessment Guides, and scoping guidance to this website in the coming weeks for informational purposes. Level 3 information will likewise be posted as it becomes available.

As a result of the alignment of CMMC to NIST standards, the Department’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.