CMMC Framework

CMMC 2.0 Maturity Model Explained

A complete guide to the Cybersecurity Maturity Model Certification framework, its three levels, 14 domains, and what they mean for your defense contracts.

What Is the CMMC Maturity Model?

The Cybersecurity Maturity Model Certification (CMMC) is a DoD framework that measures the cybersecurity maturity of defense contractors on a graduated scale. Originally released in January 2020 with five levels, CMMC was streamlined to three levels under the 2.0 revision in November 2021. The final rule (32 CFR Part 170) was published in October 2024.

The maturity model establishes a clear progression: from basic cyber hygiene for organizations handling only Federal Contract Information (FCI), through advanced security for Controlled Unclassified Information (CUI), to expert-level protections against Advanced Persistent Threats (APTs). Each level builds upon the one below it, creating a cumulative security posture.

CMMC is the government's effort to simplify and enforce cybersecurity requirements across its defense industrial base (DIB). It consolidates guidance from FAR 52.204-21, NIST SP 800-171, NIST SP 800-172, NIST SP 800-53, and DFARS clauses into a single, verifiable framework.

CMMC 2.0 Maturity Levels

LEVEL 1 -- FOUNDATIONAL

Basic Cyber Hygiene

  • 17 practices for basic safeguarding of FCI
  • Derived from FAR Clause 52.204-21
  • Assessment: Annual self-assessment
  • Process maturity: "Performed" -- practices are carried out but not necessarily documented
  • Applies to contractors handling FCI only (no CUI)
LEVEL 2 -- ADVANCED

Good Cyber Hygiene

  • 110 practices aligned with NIST SP 800-171 Rev 2
  • Required for all contractors handling CUI
  • Assessment: Triennial third-party assessment by C3PAO for critical national security programs; self-assessment for select programs
  • Process maturity: "Documented" -- policies and plans are established to guide implementation
  • Most defense contractors will need this level
LEVEL 3 -- EXPERT

Expert Cyber Hygiene

  • 110+ practices including requirements from NIST SP 800-172
  • Protects CUI against Advanced Persistent Threats (APTs)
  • Assessment: Triennial government-led assessment by DIBCAC
  • Process maturity: "Managed" and "Optimizing" -- continuous improvement processes are in place
  • Reserved for the highest-priority defense programs

Key CMMC Terms

  • Federal Contract Information (FCI): Information provided by or generated for the government under contract that is not intended for public release.
  • Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls per law, regulation, or government policy, but is not classified.
  • Advanced Persistent Threats (APTs): Sophisticated, well-resourced adversaries (typically nation-state actors) who conduct prolonged cyber campaigns against targeted organizations.
  • C3PAO: CMMC Third-Party Assessment Organization authorized by the Cyber AB to conduct Level 2 assessments.
  • DIBCAC: Defense Industrial Base Cybersecurity Assessment Center, which conducts government-led Level 3 assessments.
  • SPRS: Supplier Performance Risk System where contractors post their NIST SP 800-171 self-assessment scores.
  • POA&M: Plan of Action and Milestones documenting requirements not yet fully implemented and timelines for completion.

The 14 CMMC Domains

CMMC 2.0 Level 2 encompasses 14 security domains. Each domain contains specific practices that must be implemented and assessed.

Access Control (AC)

22 practices governing system and data access

Awareness & Training (AT)

3 practices for security awareness

Audit & Accountability (AU)

9 practices for audit logging and review

Configuration Management (CM)

9 practices for system baselines

Identification & Authentication (IA)

11 practices for identity verification

Incident Response (IR)

3 practices for incident handling

Maintenance (MA)

6 practices for system maintenance

Media Protection (MP)

9 practices for media safeguarding

Personnel Security (PS)

2 practices for personnel screening

Physical Protection (PE)

6 practices for physical access controls

Risk Assessment (RA)

3 practices for risk identification

Security Assessment (CA)

4 practices for security monitoring

System & Comm. Protection (SC)

16 practices for communications security

System & Info. Integrity (SI)

7 practices for system integrity

Standards Referenced by CMMC

CMMC consolidates cybersecurity requirements from multiple established standards and frameworks:

  • FAR Clause 52.204-21 -- Basic Safeguarding of Covered Contractor Information Systems
  • NIST SP 800-171 Rev 2 -- Protecting CUI in Nonfederal Systems and Organizations
  • NIST SP 800-172 -- Enhanced Security Requirements for Protecting CUI
  • NIST SP 800-53 Rev 5 -- Security and Privacy Controls for Information Systems
  • NIST Cybersecurity Framework (CSF) -- Framework for Improving Critical Infrastructure Cybersecurity
  • CIS Controls v7.1/v8 -- Center for Internet Security Critical Security Controls
  • DFARS 252.204-7012, 7019, 7020 -- Defense Federal Acquisition Regulation Supplement clauses

CMMC Readiness with PTG

Petronella Technology Group is a CMMC Registered Practitioner Organization (RPO) with certified Registered Practitioners on staff. Headquartered in Raleigh, NC, we serve defense contractors throughout the Triangle, the Fort Liberty/Fayetteville corridor, and across North Carolina.

PTG offers multiple options to fit every defense contractor's needs and budget, from comprehensive readiness programs to targeted gap analyses. Our approach typically addresses the majority of compliance requirements in the preparation phase, positioning your organization for a successful first-attempt certification.

CMMC Maturity Model FAQ

How does CMMC 2.0 differ from CMMC 1.0?

CMMC 2.0 reduced the model from five levels to three, eliminated CMMC-unique practices, aligned directly with existing NIST standards, and introduced self-assessment options for Level 1 and some Level 2 programs. This reduced the compliance burden while maintaining security effectiveness.

What level do most defense contractors need?

Most contractors handling CUI will need CMMC Level 2. Contractors that only handle FCI need Level 1. Level 3 is reserved for the highest-priority programs involving the most sensitive CUI categories.

How are CMMC levels assessed?

Level 1 uses annual self-assessment. Level 2 uses either self-assessment or triennial third-party assessment by a C3PAO, depending on the contract. Level 3 requires triennial government-led assessment by DIBCAC.

What happens if my organization does not meet the required level?

You will not be eligible for contract award or continuation until you achieve the required level. CMMC 2.0 does allow limited POA&Ms, giving organizations up to 180 days to close specific gaps after receiving conditional certification.

Are CMMC requirements cumulative?

Yes. Level 2 includes all Level 1 practices. Level 3 includes all Level 2 practices plus additional requirements from NIST SP 800-172. Each level builds upon the previous one.

What is the relationship between NIST SP 800-171 and CMMC?

CMMC Level 2 is directly aligned with NIST SP 800-171 Rev 2. The 110 practices in Level 2 map one-to-one to the 110 security requirements in NIST SP 800-171. CMMC adds the assessment and certification layer that NIST SP 800-171 alone does not provide.

Can subcontractors be assessed at a lower level than the prime?

The required CMMC level depends on the type of information a subcontractor handles, not the prime contractor's level. If a subcontractor only handles FCI, Level 1 may suffice. If they handle CUI, Level 2 is required regardless of the prime's level.

How does PTG help with CMMC preparation?

As an RPO, PTG provides gap analysis, remediation, SSP development, POA&M management, pre-assessment reviews, and ongoing compliance monitoring. We prepare you for successful certification while maintaining the independence required for the formal assessment process.

Understand Your CMMC Level Requirements

Schedule a free consultation with our certified CMMC Registered Practitioners.

Get Started Call us: 919-348-4912

5540 Centerview Dr., Suite 200, Raleigh, NC 27606

Why Choose Petronella Technology Group

Petronella Technology Group has been a trusted IT and cybersecurity partner for businesses across Raleigh, Durham, Chapel Hill, Cary, Apex, and the Research Triangle since 2002. Led by CEO Craig Petronella, an NC Licensed Digital Forensics Examiner (License# 604180-DFE), CMMC Certified Registered Practitioner, Cybersecurity Expert Witness, Hyperledger Certified, and MIT-certified professional in cybersecurity, AI, blockchain, and compliance, PTG brings deep expertise to every engagement.

With BBB accreditation since 2003 and more than 2,500 businesses served, PTG has the experience and track record to deliver results. Craig Petronella is an Amazon number-one best-selling author of books including "How HIPAA Can Crush Your Medical Practice," "How Hackers Can Crush Your Law Firm," and "The Ultimate Guide To CMMC." He has been featured on ABC, CBS, NBC, FOX, and WRAL, and serves as an expert witness for law firms in cybercrime and compliance cases.

PTG holds certifications including CCNA, MCNS, Microsoft Cloud Essentials, and specializes in CMMC 2.0, NIST 800-171/172/173, HIPAA, FTC Safeguards, SOC 2 Type II, PCI DSS, GDPR, CCPA, and ISO 27001 compliance. Our forensic specialties include endpoint and networking cybercrime investigation, data breach forensics, ransomware analysis, data exfiltration investigation, cryptocurrency and blockchain analysis, and SIM swap fraud investigation.

Frequently Asked Questions

What compliance frameworks does PTG help businesses implement?
PTG helps businesses implement and maintain compliance with a wide range of frameworks including CMMC 2.0, NIST 800-171 and 800-172, HIPAA, FTC Safeguards Rule, SOC 2 Type II, PCI DSS, GDPR, CCPA, and ISO 27001. Our compliance consultants work with organizations in Raleigh, Durham, and the Research Triangle to assess current gaps, develop remediation roadmaps, implement required controls, create policy documentation, and prepare for third-party audits or assessments. We take a unified approach that addresses multiple frameworks simultaneously to reduce duplication of effort.
How long does it take to achieve compliance certification?
The timeline varies significantly depending on the framework, organization size, and current security maturity. HIPAA compliance can often be achieved in three to six months with dedicated effort. CMMC Level 2 certification typically requires six to twelve months of preparation. SOC 2 Type II requires a minimum audit observation period of six months. ISO 27001 implementation generally takes six to twelve months. PTG helps organizations develop realistic timelines and prioritize the most critical controls to achieve compliance as efficiently as possible while building a sustainable long-term security program.
What happens if a business fails a compliance audit?
Failing a compliance audit can result in financial penalties, loss of business contracts, reputational damage, and in some cases, legal liability. HIPAA violations can result in fines ranging from one hundred dollars to fifty thousand dollars per violation, up to one and a half million dollars annually per violation category. CMMC non-compliance means losing eligibility for Department of Defense contracts. PCI DSS non-compliance can result in increased transaction fees and loss of payment processing capabilities. PTG helps businesses avoid these consequences through thorough pre-audit preparation, gap assessments, and continuous compliance monitoring.
What is the difference between SOC 2 Type I and Type II?
SOC 2 Type I evaluates the design of your security controls at a specific point in time, providing a snapshot of your security posture. SOC 2 Type II evaluates both the design and operating effectiveness of your controls over a period of time, typically six to twelve months. Type II is considered more rigorous and valuable because it demonstrates that your controls consistently work as intended over an extended period. Most enterprise clients and partners require SOC 2 Type II reports when evaluating vendors. PTG helps organizations prepare for and maintain both types of SOC 2 compliance.
Can one compliance framework satisfy multiple regulatory requirements?
Yes, many compliance frameworks share overlapping controls and requirements. Implementing NIST 800-171 provides a strong foundation for CMMC 2.0 compliance. ISO 27001 maps to many SOC 2 and HIPAA requirements. The NIST Cybersecurity Framework aligns with virtually all other frameworks. PTG takes a unified compliance approach, helping organizations implement controls that satisfy multiple frameworks simultaneously. This integrated strategy reduces duplication of effort, lowers costs, and creates a more cohesive security program that addresses all applicable regulatory requirements without redundant processes or documentation.

The PTG Compliance Process

Achieving and maintaining regulatory compliance requires a structured, repeatable process. PTG has developed a proven compliance methodology refined over more than two decades of helping businesses navigate complex regulatory requirements. Our process begins with a comprehensive gap assessment that evaluates your current policies, procedures, and technical controls against the specific requirements of your target framework. This assessment identifies exactly where your organization stands and what needs to be done to achieve compliance.

Following the gap assessment, PTG develops a prioritized remediation roadmap that outlines every action item needed to close identified gaps. We categorize items by risk level and effort required, allowing organizations to address the most critical deficiencies first while planning for longer-term improvements. Our consultants work alongside your team to implement technical controls, develop required policies and procedures, create employee training programs, and establish the documentation and evidence collection processes needed to demonstrate compliance during audits and assessments.

Compliance is not a one-time project but an ongoing commitment. Regulations evolve, threats change, and business environments shift. PTG provides continuous compliance monitoring services that track your compliance status in real time, alert you to emerging gaps, and ensure that your security controls remain effective. We conduct regular internal audits, update policies as regulations change, and prepare your organization for external audits or assessments. Our goal is to make compliance a natural part of your business operations rather than a periodic scramble to meet audit deadlines.

For organizations subject to multiple compliance frameworks, PTG takes a unified approach that maps overlapping requirements across frameworks. Rather than implementing separate programs for each regulation, we build a comprehensive security and compliance program that satisfies multiple requirements simultaneously. This integrated approach reduces costs, eliminates redundant processes, and provides a clearer picture of your overall security and compliance posture, making it easier to manage ongoing obligations and demonstrate compliance to auditors, clients, and business partners.

Ready to Get Started?

Contact Petronella Technology Group today for a free consultation. Serving Raleigh, Durham, Chapel Hill, and the Research Triangle since 2002.

919-348-4912 Schedule a Free Consultation

5540 Centerview Dr., Suite 200, Raleigh, NC 27606