Back in January 2020, the US Department of Defense (DoD) launched the original version of the Cybersecurity Maturity Model Certification (CMMC 1.0) framework. This framework originated to ensure that organizations had the appropriate cybersecurity measures in place to protect important Department of Defense information including:

  • Controlled Unclassified Information (CUI): CUI is information the Government creates or possesses, or that company creates or possesses for or on behalf of the Government.
  • Federal Contract Information (FCI): FCI is information that is not intended for public release, which is provided by the government under a contract to develop or deliver a product or service to the Government. This does not include information provided by the Government to the public or simple transactional information.

Many organizations were concerned that CMMC 1.0 was far too complex and expensive to comply with, especially for smaller organizations. As a result, the DoD released CMMC 2.0 in November 2021. CMMC 2.0 is a streamlined version of the original, which eliminates the transitional levels 2 and 4 (from CMMC 1.0) and drops the number of levels from five to three:

  • Level 1: Foundational
  • Level 2: Advanced
  • Level 3: Expert

The CMMC 2.0 security maturity levels are based on the type of data that organizations handle. In short, the more sensitive the data involved, the higher the CMMC level required.

Continue reading to learn the different CMMC 2.0 levels to aid you in identifying which level is appropriate for your organization.

CMMC 2.0 Level 1: Foundational

CMMC 2.0 Level 1 focuses on protecting FCI, which is not critical to national security unlike CUI.

Companies that plan to bid for DoD contracts that handle only FCI should aim for this level.

To achieve Level 1 certification, organizations need to comply with the 17 controls found in FAR 52.204-21, which details the basic cybersecurity measures necessary to protect FCI, and undergo an annual self-assessment.

CMMC 2.0 Level 2: Advanced

CMMC 2.0 Level 2 aims to safeguard CUI, which requires a higher level of security than FCI.

The sensitivity of CUI involved is classified into two categories, prioritized and non-prioritized acquisitions. Handling CUI under the first category, known as “critical national security information,” requires triennial assessments from a certified CMMC third-party assessor organization (C3PAO). Handling CUI under the second category, non-prioritized, requires annual self-assessments. Additionally, compliance with all 110 security practices of NIST SP 800-171 is required for this level, which is 20 practices fewer than those required under CMMC 1.0 Level 3 certification.

CMMC 2.0 Level 3: Expert


CMMC 2.0 Level 3 is intended for DIB companies working with CUI on the DoD’s highest priority programs, and focuses on reducing the risk from advanced persistent threats (APTs).

APTs are launched by perpetrators with substantial means to steal highly sensitive data. In order to get certified for this level, organizations need to comply with CMMC 2.0 Level 2’s 110 controls plus a subset of NIST SP 800-172 controls. Assessments for this level are conducted by the government rather than C3PAOs.

How Can Your Company Work Towards CMMC 2.0 Compliance?

If your organization needs to be CMMC compliant to retain current DoD contracts and continue bidding for future contracts, you will greatly benefit from working with an experienced managed IT and security services provider like Kyber Security.

We’re currently offering a CMMC gap review, during which we will review all of the CMMC 2.0 controls with you to identify weak spots in your company’s IT and security posture so you can start to plan your journey to compliance.

This will result in actionable information your organization can use to start on the road to compliance.  This offer is limited to the first 50 respondents, so act today to secure your review with this special offer.
New call-to-action