Total 360 Compass by Total 360 SecurityTotal 360 Compass by Total 360 Security
U.S. Department of Defense

CMMC 2.0

Cybersecurity Maturity Model Certification for Defense Industrial Base contractors

Overview

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB). It was developed by the Department of Defense (DoD) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors.

CMMC 2.0 streamlines requirements into three levels that align with widely accepted NIST cybersecurity standards. Organizations must achieve the appropriate CMMC level for their contracts to do business with the DoD.

Three Maturity Levels

1
Level 1 - Foundational
Basic cyber hygiene practices
17 Practices

Focuses on protecting Federal Contract Information (FCI). Corresponds to the 17 practices specified in FAR 52.204-21. Requires annual self-assessment.

Suitable for contractors handling only FCI
2
Level 2 - Advanced
Enhanced security for CUI protection
110 Practices

Focuses on protecting Controlled Unclassified Information (CUI). Corresponds to the 110 security requirements in NIST SP 800-171. Requires triennial third-party assessment for certain contracts.

Most common level for DIB contractors
Based on NIST SP 800-171 requirements
3
Level 3 - Expert
Advanced and progressive cybersecurity
110+ Practices

Focuses on protecting CUI from Advanced Persistent Threats (APTs). Includes NIST SP 800-171 plus additional practices from NIST SP 800-172. Requires government-led assessment.

Required for high-priority programs and critical national security information

Industry Use Cases

Defense Contractors

Prime contractors and subcontractors in the Defense Industrial Base must achieve CMMC certification to bid on and maintain DoD contracts involving FCI or CUI.

Aerospace & Manufacturing

Companies manufacturing aircraft, weapons systems, or defense technology must demonstrate cybersecurity maturity to protect sensitive technical data and intellectual property.

IT Service Providers

Managed service providers, cloud service providers, and IT consultants supporting DoD contractors must meet CMMC requirements to handle CUI on behalf of their clients.

Research & Development

Universities and research institutions conducting defense-related R&D must protect CUI and demonstrate compliance with CMMC requirements for applicable contracts.

Assessment Preview

Sample CMMC 2.0 Questions
Our comprehensive assessment covers all CMMC domains with questions tailored to your selected maturity level

Access Control (AC)

"Does your organization limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)?"

Identification and Authentication (IA)

"Does your organization use multi-factor authentication for network access to privileged accounts and for network access to non-privileged accounts?"

Incident Response (IR)

"Does your organization track, document, and report incidents to designated officials and/or authorities?"

Comprehensive Coverage

Our assessment includes questions across all 14 CMMC domains: Access Control, Asset Management, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Recovery, Risk Management, Security Assessment, and System and Communications Protection.

Ready to Assess Your CMMC Compliance?

Start your CMMC 2.0 assessment today and identify gaps in your cybersecurity posture