Skip to main contentChat with us

CMMC 2.0 · Defense Industrial Base

CMMC 2.0
compliance

The Cybersecurity Maturity Model Certification is the US Department of Defense programme for protecting sensitive information across the defense supply chain. Here are the three levels, what each protects, and how to get assessment-ready.

Built on NIST SP 800-171 and 800-172 — for any contractor or delivery partner handling FCI or CUI.

3CMMC levels
110NIST 800-171 controls (L2)
FCI · CUIInformation protected

DoD CMMC 2.0 · NIST SP 800-171 / 800-172 · Last reviewed June 2026

Direct Answer

What is CMMC?

CMMC 2.0 is the US Department of Defense framework that verifies contractors safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It has three levels tied to existing NIST standards: Level 1 to FAR basic safeguarding, Level 2 to the 110 controls of NIST SP 800-171, and Level 3 to a subset of NIST SP 800-172. The level a company must meet is set in its DoD contract, based on the information it handles.

The model

The three CMMC levels

Level 1

Foundational

Protects Federal Contract Information (FCI). Covers the 17 basic safeguarding practices from FAR 52.204-21, verified by an annual self-assessment with an executive affirmation.

  • 17 foundational practices
  • Scope: Federal Contract Information (FCI)
  • Annual self-assessment + affirmation
  • Entry level for most subcontractors
Level 2

Advanced

Protects Controlled Unclassified Information (CUI). Aligned to the 110 controls of NIST SP 800-171. Prioritised programmes need a third-party (C3PAO) assessment; others may self-assess.

  • 110 controls aligned to NIST SP 800-171
  • Scope: Controlled Unclassified Information (CUI)
  • C3PAO assessment or self-assessment
  • Required for most CUI-handling contractors
Level 3

Expert

Protects CUI against advanced persistent threats. Builds on NIST SP 800-171 with a subset of NIST SP 800-172 enhanced controls, assessed by the government (DIBCAC).

  • NIST 800-171 plus selected 800-172 controls
  • Scope: highest-priority CUI programmes
  • Government-led (DIBCAC) assessment
  • For the most sensitive defense work

How we help

Getting assessment-ready

Tranquility Cybersecurity prepares contractors and offshore delivery partners for a CMMC assessment — we do not perform the assessment itself, which only a C3PAO or the government can.

NIST 800-171 gap analysis

Assess your environment against all 110 controls and produce a prioritised remediation roadmap.

Control implementation

Implement access control, monitoring, incident response, and the technical safeguards CMMC expects.

SSP & POA&M documentation

Build the System Security Plan and Plan of Action & Milestones the assessor will review.

Frequently Asked Questions

Common questions about CMMC 2.0 and the defense supply chain.

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense programme that verifies defense contractors protect sensitive information. CMMC 2.0 streamlines the model to three levels and ties them directly to existing NIST standards — Level 1 to FAR basic safeguarding, Level 2 to NIST SP 800-171, and Level 3 to a subset of NIST SP 800-172.

Who needs to comply with CMMC?

Any organisation in the Defense Industrial Base (DIB) that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under DoD contracts — including subcontractors and offshore delivery partners. The required level is specified in the contract, based on the type of information involved.

How does CMMC relate to NIST 800-171 and ISO 27001?

CMMC Level 2 is essentially an assessed implementation of NIST SP 800-171, so a contractor that has implemented 800-171 has done most of the Level 2 work. ISO 27001 is not equivalent, but a mature ISMS provides a strong control foundation — governance, access control, logging, and incident response — that maps to many CMMC practices and accelerates readiness.

Does Tranquility Cybersecurity issue CMMC certifications?

No. Only an authorised C3PAO (for Level 2) or the government (for Level 3) can conduct an official CMMC assessment. Tranquility Cybersecurity provides readiness — a gap analysis against NIST SP 800-171, control implementation, documentation (SSP and POA&M), and pre-assessment support — so you walk into the assessment prepared.

Related frameworks

  • FedRAMP — authorisation for cloud services used by US federal agencies.
  • ISO 27001 — the ISMS foundation that accelerates NIST 800-171 and CMMC readiness.
  • SOC 2 — the attestation US commercial buyers ask for alongside government work.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations