CMMC requirements have been shifting recently, with a new version of the Cybersecurity Maturity Model Certification (CMMC 2.0) and distinct levels requiring distinct controls. Mandatory for practically any organization doing business with the US Department of Defense (DoD), CMMC is unavoidable all along the DoD’s supply chain.
The final rule on CMMC 2.0 went into effect as of December 16, 2024, and Level 2 assessments can start immediately. The phased rollout of CMMC 2.0 will begin in early 2025, meaning that time is of the essence to start building a long-term strategy for staying compliant with the new version of CMMC.
In this blog, I’ll unpack some of the most important aspects of CMMC 2.0, how recent changes might influence your approach to CMMC compliance, the CMMC requirements you should know now — and why just configuring the right controls is still not enough for CMMC compliance.
Table of Contents
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) Program is a framework and certification that assesses information systems for compliance with standards published by the National Institute of Standards and Technology (NIST). CMMC applies mainly to contractors and subcontractors along the supply chain of the US Department of Defense (DoD).
US Department of Defense (DoD) uses CMMC to enhance the cybersecurity posture of the US government, the DoD itself, and private sector contractors and suppliers (together known as the Defense Industrial Base, or DIB). Like most compliance regulations, CMMC was born from a lack of commonly accepted standards for information security. The DoD’s supply chain — including private sector institutions, partners, vendors, contractors, subcontractors, and individuals — has increasingly become prey for sophisticated cyberattacks at home and abroad (not to mention the victim of human error and software vulnerabilities).
The DoD published the original CMMC model in 2020 to better safeguard sensitive, unclassified information, establishing a comprehensive strategy to secure the information handled by those organizations. CMMC got a major update in 2024 — read on to find out what changed between CMMC 1.0 and CMMC 2.0.
FCI & CUI: What Kind of Information is Protected Under CMMC?
CMMC covers Federal Contract Information (FCI), including low-sensitivity information like contracts and project timelines, and Controlled Unclassified Information (CUI), which includes critical information like personally identifiable information (PII) and police records.
The main differentiator between FCI and CUI is the sensitivity of the information they cover, though both cover non-public information. FCI is less sensitive than CUI and includes information generated during federal contracting, like project deliverables and vendor details. CUI is more sensitive and considered more important to protect than FCI, comprising things like individual PII and law enforcement records.
Here’s an apples-to-apples breakdown of FCI and CUI as CMMC sees them:
Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | |
| Definition | Information generated or provided during the process of creating and approving contracts between government entities and contractors (public and private). | Information created or possessed by (or on behalf of) the government that is subject to specific controls for safeguarding or disseminating (like NIST SP 800-171). Does not include classified information. |
| Examples | Contracts, deliverable details, fulfillment timelines, contractor details (like a company name, size, or location). | Information regulated by export laws (like weaponry design specifications, research, and engineering data) as well as PII (like individual names, financial information, and health information). |
| Scope | Limited to contract-related information. | Covers a wide range of sensitive information along the DoD supply chain. |
Example: A government agency awards a manufacturing contract to one of its vendors. Many pieces of information are generated, stored, and transferred as part of the contracting process. None of it is made public, but as it’s accessed and used by the parties involved, some of it will be considered FCI (average sensitivity) and some of it will be considered CUI (high sensitivity):
- FCI example: A broad description of the items to be manufactured; the name of each entity; codenames for deliverables; monetary value of the contract; project timelines and milestones. Can include redacted emails and other correspondence, if they don’t include personal details or other protected information.
- CUI example: The names of individuals involved in the transaction; employment details; contact information (personal email, home address, phone number); service records; engineering documents and blueprints. Can include emails and other correspondence, if they include unredacted personal information.
Who’s Subject to CMMC Requirements & Compliance?
CMMC applies to organizations in the Defense Industrial Base (DIB) that handle information for the US Department of Defense (DoD). That can include companies in aerospace, weapons manufacturing, research, IT, and many more.
Thousands of organizations are subject to CMMC requirements. Rather than define all the various disciplines and industries that might need to comply, CMMC instead defines them by their relationship to the DoD: Prime contractors, subcontractors, vendors, and cloud service providers.
- Prime contractors provide goods or services through direct contract with the DoD.
- Example: An aerospace company that wins a DoD contract for a new airborne personnel carrier.
- Subcontractors work under prime contractors, providing specialized tasks or custom development to help prime contractors fulfill their contracts.
- Example: The radar manufacturer that designs and builds the radar system for the aerospace company to put in that new carrier.
- Suppliers provide goods or services to both prime and subcontractors.
- Example: A manufacturer providing aluminum sheets for the walls of the carrier or circuit boards for that radar system.
- Cloud service providers that process, store, or transmit CUI for a DoD contract.
- Example: AWS GovCloud, where the contractor accesses, stores, shares, and collaborates on CUI in the cloud.
CMMC 1.0 vs. CMMC 2.0
Compared to the original CMMC 1.0, CMMC 2.0 makes following the rules easier. CMMC 2.0 streamlines the original five levels of CMMC 1.0 to three levels. This builds in flexibility for covered companies while still maintaining high standards for processing, storing, and transmitting sensitive information.
CMMC 2.0 was introduced in 2021, with the intent to simplify compliance with CMMC requirements. CMMC 2.0 fully replaces CMMC 1.0, meaning any organization subject to CMMC 1.0 is subject to the updated CMMC 2.0 requirements structure.
Note on CMMC 2.0 Deadlines:
The effective date for the CMMC program rule was December 16, 2024. On that date, Certified Third-Party Organization (C3PAOs) could start conducting CMMC 2.0 Level 2 compliance assessments. Next, a Defense Federal Acquisition Regulation Supplement (DFARS) rule change on an undetermined date will occur in “early to mid-2025.” From there, the program will go through a four-phase, three-year rollout in which CMMC assessments will become requirements for DoD contract awards.
Bottom line: Get ready for CMMC assessment now to avoid the costly scramble for compliance and the risk of losing contracts.
To summarize some of the key differences between CMMC 1.0 and CMMC 2.0:
CMMC 1.0 | CMMC 2.0 | |
| Structure | Five levels of requirements (based on processes and practices) | Three levels of requirements |
| Assessment Requirements | Third-party assessment required for all levels | Self-assessment is permitted for Level 1 and certain Level 2 requirements |
| Plans of Action and Milestones (POA&Ms) | No allowance for POA&Ms to identify, document, and plan remediation efforts for noncompliant controls — CMMC compliance was “all or nothing” | Allows organizations to use POA&Ms for areas of noncompliance with non-critical controls, helping them pass assessments with structured deadlines and goals |
| Waivers for Requirements | No allowance for the government to waive CMMC requirements | Allows the US government to waive certain non-critical CMMC requirements, giving contractors some flexibility in compliance |
CMMC 2.0 Requirements to Know: Levels & Maturity
Requirements for CMMC compliance include system hardening measures like access control, authentication, and incident response, as well as personnel security and physical protection. CMMC assessment requirements range from self-assessment (Level 1) to assessment by a government entity once every three years (Level 3).
As I mentioned above, CMMC requirements are split into 3 levels of increasing intensity:
- CMMC Level 1 is the most basic, covering foundational cyber hygiene practices to protect FCI and requiring annual self-assessment.
- CMMC Level 2 specifies more than 100 comprehensive cybersecurity controls from NIST 800-171, and requires assessment by a C3PAO every three years (unless designated by the DoD).
- CMMC Level 3 is the most stringent degree of CMMC requirements, introducing additional NIST controls and mandating assessments by government officials every three years.
The Maturity Model
CMMC 2.0 incorporates (and assesses against) a maturity model at Level 2 and Level 3. In the context of CMMC 2.0, maturity means implementing those 110 (or more) practices from NIST and being able to demonstrate that you’ve been effectively managing them. Maturity is more than basic documentation; it’s the proof you’ve been maintaining compliant cybersecurity controls and other practices that protect FCI and CUI.
- Maturity is a key expectation of CMMC compliance. Instead of accepting the results of an assessment once every one to three years, CMMC assessors want proof that your compliant processes and controls are being continuously enforced and followed over time.
- What constitutes proof of CMMC maturity might vary by your requirements. It can include testing, continuous improvement, and ongoing personnel training.
Comparison: CMMC 2.0 Requirements for Level 1, 2 & 3
CMMC Level 1: Foundational | CMMC Level 2: Advanced | CMMC Level 3: Expert | |
| # Controls Required | Requires 15 controls from FAR 52.204-21 | Requires 110 NIST SP 800-171 controls | Requires 110 controls from NIST SP 800-171 and 24 controls from NIST SP 800-172 |
| Purpose | Protecting FCI | Protecting CUI | Protecting high-priority sensitive CUI |
| Example Controls |
|
|
|
| Maturity Model Expectation | Not expected to demonstrate maturity | Expected to demonstrate maturity | Expected to demonstrate maturity |
| Assessment | Annual self-assessment | Assessments by a C3PAO every three years, or self-assessment for select programs | Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment every three years |
| Example Organizations Covered | Companies that work with the DoD and its agencies but don’t access technical information and never interact with CUI | Companies that interact with CUI as they develop, research, and manufacture for military applications; or those that maintain IT services for sensitive DoD networks | Companies handling critically sensitive CUI to develop stealth systems, missile defense, nuclear applications, and more |
What Do You Need to Do to Get Compliant with CMMC 2.0?
Each increasing level of CMMC 2.0 requires a greater number of controls to enforce, as well as more stringent assessments. Level 1 features a small number of basic controls and is self-assessed, while Level 3 covers more than 110 controls and DIBCAC assesses compliance.
According to the DoD’s Cybersecurity Maturity Model Certification (CMMC) Model Overview Version 2.13 (September 2024), CMMC 2.0 controls across all levels are aligned to 14 core “domains” or areas of focus. Here’s an overview of the compliance expectations for each level of CMMC 2.0:
CMMC Level 1: Configure and Enforce Controls from FAR 52.204-21
CMMC 2.0 Level 1 requires implementation of 15 basic cybersecurity practices focused on protecting FCI. These 15 specific controls are split across six key domains:
- Access control (limiting system access)
- Identification and authentication (authenticating identities for system access)
- Media protection (like wiping drives before disposal or reuse)
- Physical protection (managing physical access and devices like keycards, visit logging, etc.)
- System and communications protection (protecting information handled by your information systems at external and internal boundaries)
- System and information integrity (drift remediation, scanning, etc.)
CMMC Level 2: Enforce 110 Controls from NIST 800-171
CMMC 2.0 Level 2 is a fairly significant step up from Level 1, with seven times as many required controls. These 110 specific controls are split across 14 key domains:
- Access control
- Audit and accountability
- Awareness and training
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
CMMC 2.0 Level 3: Enforce 110 Controls from NIST 800-171 & 24 Controls from NIST 800-172
Level 3 of CMMC is designed to impose a high standard of cybersecurity and ongoing maintenance for companies that handle critically sensitive CUI in their work with the DoD. Under CMMC 2.0 Level 3, just documenting processes and tracking changes isn’t enough. Level 3 requires all 110 controls required by Level 2, plus 24 additional controls from NIST 800-172.
CMMC Level 3 specifically includes controls across 10 key domains:
- Access control*
- Awareness and training*
- Configuration management*
- Identification and authentication*
- Incident response*
- Personnel security*
- Risk assessment*
- Security assessment*
- System and communications protection*
- System and information integrity*
* = Enhanced with more controls under CMMC 2.0 Level 3
Back to topCMMC Maturity: The Critical CMMC 2.0 Compliance Element You Can’t Miss
If there’s one aspect of CMMC compliance that warrants extra attention, it’s maturity. All regulations expect a degree of ongoing optimization, and CMMC places extra emphasis on this aspect of compliance. (It’s right there in the name!)
Documentation isn’t enough for many CMMC assessors. In CMMC terms, ‘maturity’ is less focused on clearing a bar and more focused on the continuous application of CMMC’s requirements. C3PAOs and government assessors will want to see how you’ve implemented controls, yes — but they also want to see how you’ve managed, monitored, updated, and improved them over time.
In terms of your IT configuration management, that means that agentless automation and ad hoc scripting won’t cut it for proving CMMC compliance at every assessment. Only agent-based automation and configuration management can enforce real continuous compliance by maintaining the desired state of your infrastructure (that is, all the configurations that make and keep you CMMC compliant even when the network is down).
Writing your infrastructure configuration policies as code and then monitoring and remediating them automatically is what keeps you compliant — but to meet a standard of IT compliance maturity for CMMC, you then need to:
- Document your IT compliance policy (including system hardening at the server, OS, and application levels)
- Report on every change a human made to those configurations
- Report on every time your automation tool fixed a change that had thrown you out of compliance
- Document every time you intentionally change your compliance policies, explain why, and describe the impact on your compliance configurations
How to Automate CMMC Compliance
You can automate CMMC requirements with a few steps. First, identify the controls you need (based on your CMMC Level). Then, choose and configure tools that can implement those controls (like an RBAC tool, data masking, and MFA). Then, use an agent-based configuration management tool using policy as code to keep those policies consistent across all of your systems automatically.
In practice, it’ll likely take a while to set up CMMC automation on your systems. But the point is that true CMMC compliance is more than picking a tool, writing some automation scripts, and hoping you pass audits.
Think of CMMC automation as more of a strategy than a task. You need to:
- Know which CMMC requirements apply to your organization
- Choose individual pieces of software to enforce controls that meet those requirements
- Configure those system components until they’re in a compliant state
- Create a plan to manage that software across multiple OSes
- Lay out a plan to update configurations if and when the scope and requirements of CMMC change
- Deploy updates at the server, OS, network, and app layers without anything falling through the cracks
Figuring out that list alone could be a heavy lift. But inside each of those steps are plenty of strategic questions, like…
- What’s the best way to enforce each of the required controls for your CMMC Level? (i.e., Should you script/build your own solutions? Rely on an open source option? Buy a commercial product?)
- What if you need to enforce those controls on both Linux and Windows at the same time?
- What if you’re deployed across multiple clouds and need to maintain the same level of CMMC compliance across all of them?
- What if someone changes or overwrites the configurations you set (on purpose or by accident)?
- Does your existing compliance strategy give you a leg up on CMMC? What other frameworks can you leverage to stay compliant with less duplication?
- When it’s time to patch and update, will you have to go to each machine and make sure it applied correctly (and didn’t interrupt any dependencies)?
Compliance with any framework, directive, regulation, or standard is never one-and-done. For CMMC 2.0, automation isn’t just a time-saver — it’s an enabler that makes continuous compliance possible.
The Benefits of Automating CMMC Controls
Automating key compliance controls takes needless toil off of IT’s shoulders, gives developers compliant resources faster, and takes the pressure off of compliance and DevSecOps teams when assessment time comes.
When done manually, the tasks that would ensure compliance with CMMC 2.0 are time-consuming and error-prone. Event-driven automation executes immediate responses to the kinds of changes that would normally require input from sysadmins and engineers — all without manual intervention, and all with documented evidence of each change on the other end.
Here are just a few of the ways automation can make the path to CMMC compliance easier
- Efficiency: When you automate repetitive compliance tasks like configuration, testing, collecting evidence, and reporting, your team has more time to accomplish the strategic tasks that actually drive team satisfaction and business value.
- Accuracy: Manual checks aren’t reliable at any scale, and in enterprise-size fleets, they’re impossible. Automation helps eliminate human error in data collection and reporting, helping you prepare for an audit you can be confident about.
- Visibility: Infrastructure as code — the practice of using automation to manage infrastructure configurations — creates a source of truth for every configuration in your IT. It also automatically documents intentional and corrective changes, which is vital for passing audits because it proves what you’ve done to maintain compliance over time.
- Cost savings: Reduce manual workload and save valuable time by dramatically shortening your audit and remediation activities at scale.
The best way to stay continuously compliant — that is, aligned to cybersecurity best practices 24/7 — is with agent-based automation that can maintain your desired infrastructure state.
Back to topUsing Puppet to Meet CMMC 2.0 Requirements
Puppet lets you define your infrastructure configurations as code (server settings, OS settings, app settings, etc.). That means it can automatically redeploy consistent code when any resources don’t match your coded policies.
Once you’ve configured the security controls you need — the ones that meet your CMMC Level requirement — Puppet can detect any deviations and reinforce those configurations every half hour. The result is what we call continuous compliance: Puppet makes sure your configurations are where you want them to be — 48 times a day, every day.
Puppet is the ideal solution for enforcing CMMC 2.0 requirements for a number of reasons:
- Puppet for CMMC compliance efficiency: Just about every kind of security configuration can be written into your Puppet codebase. Once it’s coded, Puppet’s agent-based automation can deploy it across all relevant systems (including Windows, Linux, and macOS).
- Puppet Enterprise Advanced also includes Security Compliance Enforcement, which enforces configurations built from DISA STIGs and CIS Benchmarks — two leading instructional frameworks for IT cybersecurity.
- Puppet for reporting accuracy: With Puppet, the proof is in the codebase. Puppet runs every 30 minutes to make sure everything’s still aligned to your compliance policies — and if it’s not, the agent will immediately bring things back to the desired state. Puppet code provides human-readable declaration of your policy.
- Puppet for compliance visibility: Puppet automatically documents changes to infrastructure configurations as part of your change record. This streamlines CMMC assessment paperwork with automated documentation that proves what changed, who changed it, and what Puppet did to bring it back into compliance.
- Puppet for overall cost savings: The more you manage with Puppet, the more you save. Time, toil, turnover, and trimmed budgets — with automation, Puppet shrinks your compliance roadblocks with CMMC and more.
- Learn more about the business value of Puppet, including how we’ve helped enterprises save millions a year.
With an emphasis on maturity, CMMC 2.0 is heavily focused on getting government contractors and vendors to maintain and prove continuous compliance — not just securing systems at a single point in time and letting things crumble in between assessments once every three years. In that way, CMMC 2.0 compliance is best seen as part of a blanket strategy for resilient IT management, rather than a bespoke initiative to be "passed" or “failed.” To manage CMMC 2.0 compliance in the long-term, you need a mature, market-proven solution.
Puppet can help you get compliant with CMMC 2.0 requirements and stay that way with automation — saving you time and ensuring accuracy before any assessment. See how Puppet works with a customized demo for your specific industry needs.