Cybersecurity Maturity Model Certification 2.0

CMMC 2.0 streamlines the original model into three levels (Foundational, Advanced, Expert). Level 1 covers the 17 FAR 52.204-21 safeguards for FCI. Level 2 maps to NIST SP 800-171 r2 (110 controls) and is required for handling Controlled Unclassified Information (CUI). Level 3 layers in selected NIST SP 800-172 enhanced requirements. Final rule 32 CFR Part 170 took effect December 2024; DFARS 252.204-7021 contract clause flows down through 2028.