Cybersecurity Maturity Model Certification 2.0

To safeguard sensitive national security information, the Department of Defense (DoD) has announced Cybersecurity Maturity Model Certification 2.0 (CMMC). This new framework validates your organization's cybersecurity practices, and protects the Defense Industrial Base (DIB) from potential cyber threats.

Pax8 is here to help

Completing CMMC can be hard by yourself. Our team of specialists will guide your CMMC journey, before and after you’re certified.

What is CMMC? Why is it important?

CMMC is a unified framework created by the US DoD to standardize and elevate cybersecurity for the US DIB using an outlined set of practices and an assessment. CMMC provides assurance that certified organizations can be trusted to store and manage Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC compliance will evaluate an organization on their cybersecurity practices and controls that an organization uses to guarantee data protection measures are in place. CMMC assessors will examine controls instead of policy documentation to ensure organizations can demonstrate their actual control measures and how they are safeguarding data in real-time.

Initial requirements for CMMC will appear in US DoD contracts by 2023 as an awarding condition.

Despite the longer timeline, partners will want to act early to prepare. Due to the assessment requirements, partners can expect to take up to a year to build their cybersecurity actions to meet the requirements needed prior to taking an assessment.


Initial requirements for CMMC will appear in US DoD contracts by 2023 as an awarding condition.

Key features of the CMMC Framework

Tiered model

CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.

Assessment requirement

CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

Implementation through contracts

Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

Looking for guidance on CMMC?

CMMC certification levels

Whereas CMMC 1.0 had five certification levels, there are only three within CMMC 2.0. These levels reflect the maturity and reliability of a company and their cybersecurity infrastructure to safeguard sensitive government information.

CMMC 2.0 Certification Levels
Your CMMC questions answered

CMMC stands for Cybersecurity Maturity Model Certification. It is designed to assess the security posture of Defense Industrial Base (DIB) companies to verify that appropriate practices and procedures are implemented prior to granting defense contracts.  

CMMC 2.0 is a refreshed version of CMMC 1.0 that is undergoing the lawmaking process. The US DoD decided to refresh CMMC 1.0 because it was considered too costly and burdensome for many in the defense industry, especially small to medium-sized enterprises that do not have relevant data needed to pass the different assessment levels. CMMC 1.0 originally had five certification levels partners could assess while CMMC 2.0 streamlines this to three levels with simpler requirements.

While CMMC 2.0 is under development, the US DoD is encouraging defense contractors to follow cybersecurity practices laid out by the National Institute of Standards and Technology (NIST 800-171).

If you work directly (or indirectly) on Department of Defense (DoD) contracts containing Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI), you must fully comply to the mandate.

Starting in 2025, all defense contracts will have CMMC 2.0 listed as a requirement in order to receive the contract.

“The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program. However, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.” — DoD

FCI is information provided by the federal government under contract not intended for public release. CMMC requirements specify that organizations handling FCI must minimally meet Level 1 certification. 

CUI is information that requires safeguarding controls consistent with laws, regulations, and government-wide policies, excluding information classified under Executive Order 13526, Classified National Security Information, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. CMMC requirements specify organizations storing / processing / transporting CUI must minimally meet Level 3 certification.

Looking for guidance on CMMC?

North America

United States

Europe, Middle East, Africa

United Kingdom
Deutsch français
Other Europe


Other Asia-Pacific