CMMC 2.0 Standards: Compliance and Tiers Infographic

Learn the standards and tiers of CMMC 2.0 compliance with this infographic from Securance Consulting.

Understanding that the foundation of CMMC is NIST Special Publication (SP) 800-171 is key to setting appropriate compliance goals.


Level 1— Foundational | Companies with Federal Contract Information (FCI) only: Organizations must adhere to 17 “basic cyber hygiene” controls specified in FAR 52.204-21. Level 1 certification will require annual self-assessments by the DIB company.

Level 2— Advanced | Companies with Controlled Unclassified Information (CUI): Organizations must adhere to the 110 controls specified in NIST SP 800-171. Level 2 is also separated into two categories based on the criticality of information stored by the contractor. Level 2 certification will require annual third-party assessments or self-assessments based on the type of information they handle.

Level 3— Expert | Companies with Highly Sensitive CUI: Organizations must adhere to the 110 NIST SP 800-171 controls and up to 35 NIST 800-172 controls. The DoD will conduct assessments every three years.


The Advantage of Insight: CMMC 2.0 Standards

Need more information? Our whitepapers deliver the insights you need on common and trending topics in cybersecurity, compliance, assessment, and more. All of these resources are available to download for free on our white papers page. For more information on CMMC 2.0 Compliance and Standards, read our whitepaper, “CMMC 2.0 Compliance Guide: Navigating New DoD Requirements.”