program is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.
Regular cybersecurity assessments of contractors provide the Department increased assurance that sensitive information shared with the defense industrial base (DIB) is adequately protected. The Cybersecurity Maturity Model Certification (CMMC) 2.0 program simplifies and increases accountability in the cybersecurity assessment process.
Once CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis