top of page

Understanding CMMC 2.0 Requirements: A Beginner's Guide


Are you a small defense contractor feeling overwhelmed by the requirements for CMMC 2.0 compliance? You're not alone. The Cybersecurity Maturity Model Certification (CMMC) is designed to protect sensitive, unclassified information shared by the Department of Defense with its contractors and subcontractors. , and it can be daunting for small businesses to navigate. But don't worry; we've got you covered.


Imagine being able to protect your business from cyber threats and data breaches while also positioning yourself to win more contracts with the Department of Defense. That's precisely what CMMC compliance can do for you. But where do you even begin?

Don't worry, we're here to make it easy for you. The new version of CMMC (version 2.0) has only three levels of certification: Foundation, Advanced, and Expert. These levels represent a set of cybersecurity best practices that organizations must meet to achieve certification. In case you're wondering, levels 1 and 2 are based on NIST SP 800-171 framework, and level 3 is based on NIST SP 800-172 framework.


Let's break it down even further.

  • Level 1 is all about protecting Federal Contract Information (FCI). This level requires a self-assessment of 17 CMMC practices. These practices include basic cyber hygiene, such as access control, incident response, and media protection.

  • Level 2 is all about protecting Controlled Unclassified Information (CUI). This level requires an external assessment by a CMMC Third Party Assessment Organization (C3PAO) of the 110 NIST SP 800-171 practices. These practices include more advanced security controls such as incident response planning, access control, and security awareness and training.

  • Level 3 is for the big guns, the highest priority, and the most critical defense programs. This level requires a government-led assessment of NIST SP 800-172 practices. These practices include advanced security controls such as security testing, incident response, and security management.

Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are two types of information that are important for defense contractors to understand when it comes to CMMC compliance.


FCI is defined as "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments." Examples of FCI include:

  • Technical data and specifications for a defense system

  • Information about the performance of a defense contractor

  • Information about the cost of a defense contract

CUI, on the other hand, is defined as "information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and Government-wide policies." Examples of CUI include:

  • Personal Identifiable Information (PII)

  • Sensitive but unclassified information (e.g., law enforcement sensitive information)

  • Privacy sensitive information

  • Export controlled information

  • Critical Infrastructure Information (CII)

It's important to note that CUI is a broader category than FCI, and it includes information that is not necessarily generated or provided under a contract with the government but still needs to be protected.

The Cyber Accreditation Body (Cyber AB) is responsible for accrediting CMMC Third Party Assessment Organizations (C3PAOs) to perform the CMMC assessments and certify Organizations Seeking Certifications (OSCs). As a defense contractor, you'll need to work with a C3PAO to determine the appropriate level of certification for your business, conduct a self-assessment, and provide documentation and evidence to demonstrate compliance.

But don't think of compliance as a one-time event. It's crucial to regularly review and update your cybersecurity practices to maintain compliance. Remember, cyber threats are constantly changing, so it's important to stay on top of it.

In summary, CMMC 2.0 is designed to help defense contractors protect FCI and CUI. With only three levels of certification, it's easy to understand what's required to achieve compliance. By working with a C3PAO, conducting a self-assessment, and regularly reviewing and updating your cybersecurity practices, you'll be able to protect your business and stay compliant. If you're interested in learning about how to achieve CMMC compliance, contact Aspire Cyber today at www.aspirecyber.com or info@aspirecyber.com. Our team of experts is here to help you streamline the compliance process and achieve your goals.

bottom of page