Cybersecurity Maturity Model CMMC
CMMC 2.0 DoD mandatory DIB cyber certification.
Definition
CMMC 2.0 has 3 levels: Level 1 Foundational (FCI, 17 controls FAR 52.204-21), Level 2 Advanced (CUI, 110 controls NIST SP 800-171 r2), Level 3 Expert (~critical CUI, NIST SP 800-171 r2 + 24 controls NIST SP 800-172). Final rule 32 CFR Part 170 published October 2024, applicable mid-2025 phased. C3PAOs (Certified Third-Party Assessor Organizations) accredited by Cyber AB.
Origin
DoD, CMMC 1.0 January 2020, CMMC 2.0 November 2021, final rule 32 CFR Part 170 October 2024.
Usage
Mandatory for any DoD contractor from mid-2025. Contracts cascade in progress.
Related terms
- NIST SP 800-171 — standard sous-jacent.
- CUI — donnée protégée.
- Cyber AB — accréditeur C3PAO.