CMMC 2.0 · Defense Industrial Base
CMMC 2.0
compliance
The Cybersecurity Maturity Model Certification is the US Department of Defense programme for protecting sensitive information across the defense supply chain. Here are the three levels, what each protects, and how to get assessment-ready.
Built on NIST SP 800-171 and 800-172 — for any contractor or delivery partner handling FCI or CUI.
DoD CMMC 2.0 · NIST SP 800-171 / 800-172 · Last reviewed June 2026
Direct Answer
What is CMMC?
CMMC 2.0 is the US Department of Defense framework that verifies contractors safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It has three levels tied to existing NIST standards: Level 1 to FAR basic safeguarding, Level 2 to the 110 controls of NIST SP 800-171, and Level 3 to a subset of NIST SP 800-172. The level a company must meet is set in its DoD contract, based on the information it handles.
The model
The three CMMC levels
Foundational
Protects Federal Contract Information (FCI). Covers the 17 basic safeguarding practices from FAR 52.204-21, verified by an annual self-assessment with an executive affirmation.
- 17 foundational practices
- Scope: Federal Contract Information (FCI)
- Annual self-assessment + affirmation
- Entry level for most subcontractors
Advanced
Protects Controlled Unclassified Information (CUI). Aligned to the 110 controls of NIST SP 800-171. Prioritised programmes need a third-party (C3PAO) assessment; others may self-assess.
- 110 controls aligned to NIST SP 800-171
- Scope: Controlled Unclassified Information (CUI)
- C3PAO assessment or self-assessment
- Required for most CUI-handling contractors
Expert
Protects CUI against advanced persistent threats. Builds on NIST SP 800-171 with a subset of NIST SP 800-172 enhanced controls, assessed by the government (DIBCAC).
- NIST 800-171 plus selected 800-172 controls
- Scope: highest-priority CUI programmes
- Government-led (DIBCAC) assessment
- For the most sensitive defense work
How we help
Getting assessment-ready
Tranquility Cybersecurity prepares contractors and offshore delivery partners for a CMMC assessment — we do not perform the assessment itself, which only a C3PAO or the government can.
NIST 800-171 gap analysis
Assess your environment against all 110 controls and produce a prioritised remediation roadmap.
Control implementation
Implement access control, monitoring, incident response, and the technical safeguards CMMC expects.
SSP & POA&M documentation
Build the System Security Plan and Plan of Action & Milestones the assessor will review.
Frequently Asked Questions
Common questions about CMMC 2.0 and the defense supply chain.
What is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense programme that verifies defense contractors protect sensitive information. CMMC 2.0 streamlines the model to three levels and ties them directly to existing NIST standards — Level 1 to FAR basic safeguarding, Level 2 to NIST SP 800-171, and Level 3 to a subset of NIST SP 800-172.
Who needs to comply with CMMC?
Any organisation in the Defense Industrial Base (DIB) that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under DoD contracts — including subcontractors and offshore delivery partners. The required level is specified in the contract, based on the type of information involved.
How does CMMC relate to NIST 800-171 and ISO 27001?
CMMC Level 2 is essentially an assessed implementation of NIST SP 800-171, so a contractor that has implemented 800-171 has done most of the Level 2 work. ISO 27001 is not equivalent, but a mature ISMS provides a strong control foundation — governance, access control, logging, and incident response — that maps to many CMMC practices and accelerates readiness.
Does Tranquility Cybersecurity issue CMMC certifications?
No. Only an authorised C3PAO (for Level 2) or the government (for Level 3) can conduct an official CMMC assessment. Tranquility Cybersecurity provides readiness — a gap analysis against NIST SP 800-171, control implementation, documentation (SSP and POA&M), and pre-assessment support — so you walk into the assessment prepared.
Related frameworks
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 27001 Overview
The ISMS standard — the baseline certificate global buyers ask for.
Read moreSOC 2 Overview
The AICPA attestation US and global enterprise buyers ask for.
Read moreVAPT / Penetration Testing
Manual-first web, API, network and mobile testing with retest included.
Read moreAnnex A Controls Overview
All 93 controls across organizational, people, physical and tech domains.
Read moreISO 27001 Knowledge Hub
All 93 Annex A controls, all clauses, every guide in the cluster.
Read moreProof & Track Record
Every number we publish — explained, sourced and verifiable.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours