Sign Up Sign In

Understanding CMMC 2.0 [Ultimate Beginner's Guide]

Are you a defense contractor trying to make sense of cybersecurity requirements? Today I'm going to demystify the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework.

April 18, 2025

This matters because without proper CMMC certification, you simply can't do business with the Department of Defense.

What you'll learn today:

  • What CMMC 2.0 is and why it exists
  • The three certification levels and what they require
  • Key domains and security practices you need to implement
  • How to begin your CMMC journey as a beginner

What is CMMC 2.0?

CMMC 2.0 is the Department of Defense standard for implementing security requirements to protect controlled unclassified information (CUI) across the Defense Industrial Base (DIB).

It's not just another compliance framework.

It's a mandatory certification program for any organization that wants to work with the DoD.

The DoD officially published the final rule for the CMMC Program on October 15, 2024.

This version simplified the previous CMMC 1.0 model by removing transitional levels and eliminating unique security practices.

The Three CMMC Levels

CMMC 2.0 consists of three hierarchical levels, each building upon the previous one.

Level 1 - Foundational

  • Required for organizations handling Federal Contract Information (FCI)
  • Contains 15 basic cybersecurity requirements from FAR 52.204-21
  • The minimum level needed to do business with the DoD

Level 2 - Advanced

  • Required for organizations handling Controlled Unclassified Information (CUI)
  • Contains all 110 security requirements from NIST SP 800-171 Rev 2
  • Most defense contractors will need this level

Level 3 - Expert

  • Required for organizations handling CUI for critical programs or high-value assets
  • Contains the 110 requirements from Level 2 plus 24 additional controls from NIST SP 800-172
  • Designed to protect against Advanced Persistent Threats (APTs)

Did you know that approximately 63% of the 212,650 organizations in the DIB only need Level 1 certification?

Less than 1% will require Level 3.

Key CMMC Domains

The CMMC requirements are organized into domains based on cybersecurity best practices.

These domains include:

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Each domain contains specific practices you must implement to achieve certification.

For example, under Access Control at Level 1, you must "limit system access to authorized users, processes acting on behalf of authorized users, and devices."

Getting Started with CMMC

If you're just beginning your CMMC journey, here's how to start:

Step 1: Determine Your Required Level
What type of information will you handle? FCI requires Level 1, while CUI requires Level 2 or higher.

Step 2: Create a Project Plan
Develop a timeline, budget, and resource allocation for your CMMC implementation.

Step 3: Document Your Assets
Identify all systems, networks, and devices that will be in scope for certification.

Step 4: Perform a Readiness Assessment
Compare your current security practices against CMMC requirements to identify gaps.

Step 5: Implement Required Controls
Address the gaps by implementing necessary security controls and documenting your processes.

Remember, the implementation costs will vary based on your organization's complexity, existing security posture, and the solutions you choose.

Wrapping up

CMMC 2.0 is here to stay, and it's a business necessity for defense contractors.

The DoD expects to start including CMMC requirements in solicitations and contracts in early to mid-2025 after the CMMC acquisition rule is completed.

Today you've learned the basics of CMMC 2.0, including its three certification levels, key domains, and how to begin your implementation journey.

The path to certification may seem daunting, but by breaking it down into manageable steps, you can navigate the process successfully.

Your CMMC certification isn't just about compliance—it's about improving your overall security posture to protect sensitive government information.