CMMC Model

Frequently Asked Questions


The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.

Overview of CMMC 2.0 Model

Protected Information

The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.

In alignment with section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.

Key Changes Incorporated Under the CMMC 2.0 Framework

With the implementation of CMMC 2.0, the Department intends to introduce the following changes to the CMMC Model relative to CMMC 1.0:

Assessments CMMC 1.0 CMMC 2.0
  • 5 increasingly progressive levels from Basic to Advanced
  • Levels 2 and 4 intended as transition stages between Levels 1, 3, and 5
  • 3 increasingly progressive levels:
    • Level 1 (same as previous level 1)
    • Level 2 (previous level 3)
    • Level 3 (previous level 5)

The Department posted the CMMC 2.0 model for Levels 1 and 2, their associated Assessment Guides, and scoping guidance to this website for informational purposes. Level 3 information will likewise be posted as it becomes available.

As a result of the alignment of CMMC to NIST standards, the Department’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.