Framework B.08 · Cybersecurity Maturity Model Certification 2.0

CMMC 2.0 - the US DoD contract standard, and how CyberFortify produces the evidence.

CMMC 2.0 is the US Department of Defense certification that defense contractors must hold to win and keep contracts involving Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CyberFortify maps every penetration testing and network testing finding to the underlying NIST SP 800-171 / 800-172 controls that CMMC assessors verify.

Maintainer: US Department of Defense (DoD CIO) Model: CMMC 2.0 · 3 levels Used in: Defense Industrial Base contracts
3
Certification levels
110
Level 2 practices (800-171)
C3PAO
Third-party assessment
CUI
Data protected
CMMC 2.0: Level 1 Foundational · Level 2 Advanced · Level 3 Expert · FCI · CUI · NIST SP 800-171 · NIST SP 800-172 · C3PAO assessment · SPRS score · POA&M · 32 CFR Part 170 CMMC 2.0: Level 1 Foundational · Level 2 Advanced · Level 3 Expert · FCI · CUI · NIST SP 800-171 · NIST SP 800-172 · C3PAO assessment · SPRS score · POA&M · 32 CFR Part 170
// Executive summary

CMMC 2.0 makes cybersecurity a condition of doing business with the US Department of Defense. Level 2 - the tier most contractors need - requires demonstrable implementation of all 110 NIST SP 800-171 controls, verified by an accredited C3PAO. CyberFortify's network, application and cloud pen testing reports produce the technical assessment evidence those controls demand.

// 01 What CMMC 2.0 actually is

// DefinitionCMMC 2.0

The Cybersecurity Maturity Model Certification is a US DoD program that verifies a defense contractor's cybersecurity maturity before contract award. It is codified in 32 CFR Part 170, with the acquisition rule (48 CFR) phasing certification requirements into DoD solicitations.

CMMC governs the protection of two data types: Federal Contract Information (FCI) and the more sensitive Controlled Unclassified Information (CUI). The required level is written into each contract - no certificate, no award.

CMMC does not invent new controls. It is an enforcement wrapper around existing NIST publications: Level 1 draws on the 15 basic safeguarding requirements of FAR 52.204-21, Level 2 on the 110 controls of NIST SP 800-171, and Level 3 on a subset of the enhanced requirements in NIST SP 800-172. What CMMC adds is teeth - independent assessment and a certificate that expires.

// 02 The three levels explained

CMMC 2.0 collapsed the original five-level model into three. The level you need is dictated by the sensitivity of the information you handle under contract.

L1Foundational

Level 1 · FCI

17 basic safeguarding practices for contractors handling Federal Contract Information. Self-assessed and affirmed annually in SPRS. Pen testing is not mandated but sharpens the basic access-control and boundary-protection practices.

L2Most common

Level 2 · CUI

All 110 NIST SP 800-171 controls. Prioritized contracts require a triennial C3PAO third-party assessment. This is where CyberFortify testing evidence carries the most weight - the 3.11 and 3.12 control families expect real assessment output.

L3Expert

Level 3 · High-value CUI

Level 2 plus a subset of NIST SP 800-172 enhanced requirements, assessed by the DoD's DIBCAC. 800-172 explicitly calls for penetration testing (3.12.1e) - a direct CyberFortify deliverable.

// 03 How CyberFortify maps findings to CMMC

CMMC assessors verify the NIST SP 800-171 / 800-172 control families beneath each level. Every CyberFortify finding is mapped to the specific control an assessor references, so your remediation and your C3PAO evidence pack line up.

01

Data type

FCI or CUI - establishes the required CMMC level and assessment path.

FCI / CUI
02

Control family

e.g., 3.11 Risk Assessment, 3.12 Security Assessment, 3.13 System & Communications Protection.

14 families
03

Control reference

e.g., 3.11.2 Scan for vulnerabilities, 3.12.1 Periodically assess security controls.

110 controls
04

800-172 enhancement

For Level 3: e.g., 3.12.1e Conduct penetration testing leveraging automated and manual tools.

Level 3
05

Evidence & POA&M

Assessment output, retest attestation and remediation input for your Plan of Action & Milestones.

C3PAO-ready

// 04 Why CMMC matters in 2026

With the CMMC Program rule now in effect, certification requirements are being written into DoD solicitations on a phased schedule. For the roughly 220,000 companies in the Defense Industrial Base, CMMC has shifted from a future concern to a live gate on revenue: a lapsed or missing certificate removes you from the eligible bidder pool. Prime contractors are already flowing requirements down to subcontractors ahead of the DoD deadlines.

CMMC is where a self-attested SPRS score meets an assessor who wants proof. A manual penetration test is the most defensible evidence that your 800-171 controls actually hold under attack - not just on paper.

CyberFortify reporting practice

// 05 Frequently asked questions

Does CMMC require a penetration test?

Level 1 and Level 2 do not explicitly mandate penetration testing, but the 800-171 assessment (3.12.1) and vulnerability-scanning (3.11.2) controls are far stronger with real offensive evidence. Level 3, built on NIST SP 800-172, does call for penetration testing directly (3.12.1e).

What is the difference between CMMC and NIST SP 800-171?

800-171 is the control catalogue; CMMC is the certification and enforcement mechanism that verifies you have implemented it. CMMC Level 2 is the 110 controls of 800-171, plus an independent C3PAO assessment and a certificate.

Who needs Level 2 versus Level 3?

Most contractors handling CUI need Level 2. Level 3 is reserved for the highest-priority programs where CUI faces advanced persistent threats; it adds enhanced 800-172 requirements assessed by the government's DIBCAC.

Can one CyberFortify engagement support CMMC and other frameworks?

Yes. Because CMMC rests on NIST controls, the same engagement evidence cross-maps to NIST CSF 2.0 and FedRAMP. Our reports carry multi-framework mappings on every finding.

Preparing for a CMMC assessment?

Schedule a 30-minute scoping call. CyberFortify will recommend the right offensive testing service and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →