Compliance/CMMC 2.0

Cybersecurity Maturity Model Certification 2.0

Crosswalk to NIST CSF 2.0 · 155 controls · Updated April 2026.

CMMC 2.0 is the U.S. Department of Defense cybersecurity certification framework for contractors handling CUI or FCI. It incorporates NIST SP 800-171 (110 controls) at Level 2 and adds selected NIST SP 800-172 controls at Level 3. Assessment rigor increases at each level — self-attestation for Level 1, third-party for Level 2, government-led for Level 3.

About CMMC 2.0

CMMC 2.0 is the streamlined successor to CMMC 1.0, eliminating unique CMMC-only practices in favor of NIST SP 800-171 and 800-172 alignment. The effective date is December 16, 2024, with DoD contracts incorporating CMMC requirements on a rolling basis starting in fiscal 2025.

Contractors handling CUI are required to meet Level 2 (110 controls). The assessment pathway varies by contract criticality — some allow annual self-assessment, most require triennial third-party certification. Level 3 adds roughly 35 controls from NIST SP 800-172 and requires a government-led assessment.

SecurityStack crosswalks CMMC practices to NIST CSF 2.0 categories. The crosswalk density is highest in PROTECT (access control, media protection, configuration management) and IDENTIFY (risk assessment, security assessment).

Primary audience: Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). Effective date Dec 16, 2024.

Controls by domain

155 controls across 26 groups. Mapping strengths to NIST CSF 2.0 categories are summarized below.

AC 7 controls
Control IDNameIG
CMMC-AC.1.001Authorized access control policiesL1-L3
CMMC-AC.1.002Limit transactions/functionsL1-L3
CMMC-AC.2.005Provide privacy/security noticesL1-L3
CMMC-AC.2.006Limit use of portable storageL1-L3
CMMC-AC.3.017Separate duties of individualsL1-L3
CMMC-AC.3.018Prevent non-privileged users from executing privileged functionsL1-L3
CMMC-AC.3.020Control connection of mobile devicesL1-L3
Access Control (AC) 22 controls
Control IDName
CMMC-AC.L1-3.1.1AC.L1-3.1.1 [L1]

Limit system access to authorized users, processes, devices

CMMC-AC.L1-3.1.2AC.L1-3.1.2 [L1]

Limit access to authorized transaction types and functions

CMMC-AC.L1-3.1.20AC.L1-3.1.20 [L1]

Verify and control/limit connections to external systems

CMMC-AC.L1-3.1.22AC.L1-3.1.22 [L1]

Control information posted on publicly accessible systems

CMMC-AC.L2-3.1.10AC.L2-3.1.10 [L2]

Use session lock with pattern-hiding displays

CMMC-AC.L2-3.1.11AC.L2-3.1.11 [L2]

Terminate user session after defined condition

CMMC-AC.L2-3.1.12AC.L2-3.1.12 [L2]

Monitor and control remote access sessions

CMMC-AC.L2-3.1.13AC.L2-3.1.13 [L2]

Employ cryptographic mechanisms for remote access

CMMC-AC.L2-3.1.14AC.L2-3.1.14 [L2]

Route remote access via managed access control points

CMMC-AC.L2-3.1.15AC.L2-3.1.15 [L2]

Authorize remote execution of privileged commands

CMMC-AC.L2-3.1.16AC.L2-3.1.16 [L2]

Authorize wireless access prior to connections

CMMC-AC.L2-3.1.17AC.L2-3.1.17 [L2]

Protect wireless access using auth and encryption

CMMC-AC.L2-3.1.18AC.L2-3.1.18 [L2]

Control connection of mobile devices

CMMC-AC.L2-3.1.19AC.L2-3.1.19 [L2]

Encrypt CUI on mobile devices and platforms

CMMC-AC.L2-3.1.21AC.L2-3.1.21 [L2]

Limit use of portable storage on external systems

CMMC-AC.L2-3.1.3AC.L2-3.1.3 [L2]

Control CUI flow per approved authorizations

CMMC-AC.L2-3.1.4AC.L2-3.1.4 [L2]

Separate duties to reduce malevolent activity risk

CMMC-AC.L2-3.1.5AC.L2-3.1.5 [L2]

Employ least privilege, including for privileged accounts

CMMC-AC.L2-3.1.6AC.L2-3.1.6 [L2]

Use non-privileged accounts for nonsecurity functions

CMMC-AC.L2-3.1.7AC.L2-3.1.7 [L2]

Prevent non-privileged users from executing privileged functions

CMMC-AC.L2-3.1.8AC.L2-3.1.8 [L2]

Limit unsuccessful logon attempts

CMMC-AC.L2-3.1.9AC.L2-3.1.9 [L2]

Provide privacy/security notices consistent with CUI rules

AT 4 controls
Control IDNameIG
CMMC-AT.1.056Conduct security awareness activitiesL1-L3
CMMC-AT.1.057Ensure personnel are trainedL1-L3
CMMC-AT.2.056Role-based cybersecurity trainingL1-L3
CMMC-AT.3.058Provide security training for new threatsL1-L3
AU 3 controls
Control IDNameIG
CMMC-AU.2.041Audit events that indicate violationsL2-L3
CMMC-AU.2.042Ensure audit log reviewL2-L3
CMMC-AU.3.045Review/analyze/report audit logsL2-L3
Audit & Accountability (AU) 9 controls
Control IDName
CMMC-AU.L2-3.3.1AU.L2-3.3.1 [L2]

Create and retain system audit logs

CMMC-AU.L2-3.3.2AU.L2-3.3.2 [L2]

Ensure actions traceable to individual users

CMMC-AU.L2-3.3.3AU.L2-3.3.3 [L2]

Review and update logged events

CMMC-AU.L2-3.3.4AU.L2-3.3.4 [L2]

Alert on audit logging process failure

CMMC-AU.L2-3.3.5AU.L2-3.3.5 [L2]

Correlate audit review, analysis, and reporting

CMMC-AU.L2-3.3.6AU.L2-3.3.6 [L2]

Provide audit record reduction and report generation

CMMC-AU.L2-3.3.7AU.L2-3.3.7 [L2]

Synchronize clocks with authoritative time source

CMMC-AU.L2-3.3.8AU.L2-3.3.8 [L2]

Protect audit info and tools from unauthorized access

CMMC-AU.L2-3.3.9AU.L2-3.3.9 [L2]

Limit audit logging management to privileged users

Awareness & Training (AT) 3 controls
Control IDName
CMMC-AT.L2-3.2.1AT.L2-3.2.1 [L2]

Ensure awareness of security risks and applicable policies

CMMC-AT.L2-3.2.2AT.L2-3.2.2 [L2]

Train in assigned security duties and responsibilities

CMMC-AT.L2-3.2.3AT.L2-3.2.3 [L2]

Provide insider threat awareness training

CA 3 controls
Control IDNameIG
CMMC-CA.2.157Security assessments rolesL1-L3
CMMC-CA.2.158Plan of action and milestonesL2-L3
CMMC-CA.3.161Monitor security controls on ongoing basisL2-L3
CM 5 controls
Control IDNameIG
CMMC-CM.1.069Establish/maintain baseline configurationsL1-L3
CMMC-CM.2.061Establish/maintain asset baselineL2-L3
CMMC-CM.2.062Control and monitor user-installed softwareL1-L3
CMMC-CM.2.064Establish/maintain security configurationL1-L3
CMMC-CM.3.068Employ deny-by-exception policyL1-L3
Configuration Mgmt (CM) 9 controls
Control IDName
CMMC-CM.L2-3.4.1CM.L2-3.4.1 [L2]

Establish/maintain baseline configs and inventories

CMMC-CM.L2-3.4.2CM.L2-3.4.2 [L2]

Establish/enforce security configuration settings

CMMC-CM.L2-3.4.3CM.L2-3.4.3 [L2]

Track, review, approve/disapprove, log changes

CMMC-CM.L2-3.4.4CM.L2-3.4.4 [L2]

Analyze security impact of changes prior to implementation

CMMC-CM.L2-3.4.5CM.L2-3.4.5 [L2]

Define/enforce physical and logical access restrictions for changes

CMMC-CM.L2-3.4.6CM.L2-3.4.6 [L2]

Employ least functionality — only essential capabilities

CMMC-CM.L2-3.4.7CM.L2-3.4.7 [L2]

Restrict/disable nonessential programs, ports, protocols

CMMC-CM.L2-3.4.8CM.L2-3.4.8 [L2]

Apply deny-by-exception software policy

CMMC-CM.L2-3.4.9CM.L2-3.4.9 [L2]

Control and monitor user-installed software

IA 3 controls
Control IDNameIG
CMMC-IA.1.076Identify users, processes, devicesL1-L3
CMMC-IA.1.077Authenticate users, processes, devicesL1-L3
CMMC-IA.3.083Use multifactor authenticationL1-L3
Identification & Auth (IA) 11 controls
Control IDName
CMMC-IA.L1-3.5.1IA.L1-3.5.1 [L1]

Identify system users, processes, and devices

CMMC-IA.L1-3.5.2IA.L1-3.5.2 [L1]

Authenticate identities as prerequisite to access

CMMC-IA.L2-3.5.10IA.L2-3.5.10 [L2]

Store/transmit only cryptographically-protected passwords

CMMC-IA.L2-3.5.11IA.L2-3.5.11 [L2]

Obscure feedback of authentication information

CMMC-IA.L2-3.5.3IA.L2-3.5.3 [L2]

Use MFA for local/network access

CMMC-IA.L2-3.5.4IA.L2-3.5.4 [L2]

Employ replay-resistant authentication

CMMC-IA.L2-3.5.5IA.L2-3.5.5 [L2]

Prevent reuse of identifiers for defined period

CMMC-IA.L2-3.5.6IA.L2-3.5.6 [L2]

Disable identifiers after defined inactivity period

CMMC-IA.L2-3.5.7IA.L2-3.5.7 [L2]

Enforce minimum password complexity

CMMC-IA.L2-3.5.8IA.L2-3.5.8 [L2]

Prohibit password reuse for specified generations

CMMC-IA.L2-3.5.9IA.L2-3.5.9 [L2]

Allow temporary password with immediate change required

Incident Response (IR) 3 controls
Control IDName
CMMC-IR.L2-3.6.1IR.L2-3.6.1 [L2]

Establish incident-handling capability

CMMC-IR.L2-3.6.2IR.L2-3.6.2 [L2]

Track, document, report incidents to officials

CMMC-IR.L2-3.6.3IR.L2-3.6.3 [L2]

Test organizational incident response capability

IR 4 controls
Control IDNameIG
CMMC-IR.1.010Establish operational incident handling capabilityL1-L3
CMMC-IR.2.092Establish operational incident handlingL2-L3
CMMC-IR.2.093Track/document/control incidentsL2-L3
CMMC-IR.3.098Track/document/control incidentsL2-L3
Maintenance (MA) 6 controls
Control IDName
CMMC-MA.L2-3.7.1MA.L2-3.7.1 [L2]

Perform maintenance on organizational systems

CMMC-MA.L2-3.7.2MA.L2-3.7.2 [L2]

Controls on maintenance tools, techniques, personnel

CMMC-MA.L2-3.7.3MA.L2-3.7.3 [L2]

Ensure off-site maintenance equipment sanitized of CUI

CMMC-MA.L2-3.7.4MA.L2-3.7.4 [L2]

Check diagnostic/test media for malicious code

CMMC-MA.L2-3.7.5MA.L2-3.7.5 [L2]

Require MFA for nonlocal maintenance; terminate when complete

CMMC-MA.L2-3.7.6MA.L2-3.7.6 [L2]

Supervise maintenance personnel without required access

Media Protection (MP) 9 controls
Control IDName
CMMC-MP.L1-3.8.3MP.L1-3.8.3 [L1]

Sanitize/destroy media before disposal/reuse

CMMC-MP.L2-3.8.1MP.L2-3.8.1 [L2]

Physically control and securely store media with CUI

CMMC-MP.L2-3.8.2MP.L2-3.8.2 [L2]

Limit access to CUI on system media

CMMC-MP.L2-3.8.4MP.L2-3.8.4 [L2]

Mark media with CUI markings and distribution limitations

CMMC-MP.L2-3.8.5MP.L2-3.8.5 [L2]

Control media access; maintain accountability during transport

CMMC-MP.L2-3.8.6MP.L2-3.8.6 [L2]

Encrypt CUI on digital media during transport

CMMC-MP.L2-3.8.7MP.L2-3.8.7 [L2]

Control use of removable media on system components

CMMC-MP.L2-3.8.8MP.L2-3.8.8 [L2]

Prohibit portable storage with no identifiable owner

CMMC-MP.L2-3.8.9MP.L2-3.8.9 [L2]

Protect confidentiality of backup CUI at storage locations

MP 3 controls
Control IDNameIG
CMMC-MP.1.118Protect system media containing CUIL1-L3
CMMC-MP.2.119Limit access to CUI on mediaL1-L3
CMMC-MP.3.122Mark media with CUI designationsL1-L3
Personnel Security (PS) 2 controls
Control IDName
CMMC-PS.L2-3.9.1PS.L2-3.9.1 [L2]

Screen individuals prior to authorizing access to CUI

CMMC-PS.L2-3.9.2PS.L2-3.9.2 [L2]

Protect CUI during/after personnel actions

Physical Protection (PE) 6 controls
Control IDName
CMMC-PE.L1-3.10.1PE.L1-3.10.1 [L1]

Limit physical access to systems, equipment, environments

CMMC-PE.L1-3.10.3PE.L1-3.10.3 [L1]

Escort visitors and monitor visitor activity

CMMC-PE.L1-3.10.4PE.L1-3.10.4 [L1]

Maintain audit logs of physical access

CMMC-PE.L1-3.10.5PE.L1-3.10.5 [L1]

Control and manage physical access devices

CMMC-PE.L2-3.10.2PE.L2-3.10.2 [L2]

Protect and monitor physical facility/support infrastructure

CMMC-PE.L2-3.10.6PE.L2-3.10.6 [L2]

Enforce CUI safeguarding at alternate work sites

Risk Assessment (RA) 3 controls
Control IDName
CMMC-RA.L2-3.11.1RA.L2-3.11.1 [L2]

Periodically assess risk to operations, assets, individuals

CMMC-RA.L2-3.11.2RA.L2-3.11.2 [L2]

Scan for vulnerabilities periodically and when new ones identified

CMMC-RA.L2-3.11.3RA.L2-3.11.3 [L2]

Remediate vulnerabilities per risk assessments

RM 3 controls
Control IDNameIG
CMMC-RM.2.141Establish risk management strategyL2-L3
CMMC-RM.2.142Risk tolerance documentationL2-L3
CMMC-RM.3.144Periodically assess risk to operationsL2-L3
SC 4 controls
Control IDNameIG
CMMC-SC.1.175Monitor/control communicationsL1-L3
CMMC-SC.3.177Employ FIPS-validated cryptographyL1-L3
CMMC-SC.3.185Implement subnetworks for publicly accessible componentsL2-L3
CMMC-SC.3.187Establish/manage cryptographic keysL1-L3
Security Assessment (CA) 4 controls
Control IDName
CMMC-CA.L2-3.12.1CA.L2-3.12.1 [L2]

Periodically assess security controls for effectiveness

CMMC-CA.L2-3.12.2CA.L2-3.12.2 [L2]

Develop/implement plans of action for deficiencies

CMMC-CA.L2-3.12.3CA.L2-3.12.3 [L2]

Monitor security controls on an ongoing basis

CMMC-CA.L2-3.12.4CA.L2-3.12.4 [L2]

Develop, document, periodically update system security plans

SI 3 controls
Control IDNameIG
CMMC-SI.1.210Policy for flaw remediationL1-L2
CMMC-SI.2.214Scan for vulnerabilitiesL1-L3
CMMC-SI.2.216Monitor organizational systems for attacksL2-L3
SR 3 controls
Control IDNameIG
CMMC-SR.1.161Develop supply chain risk management planL2-L3
CMMC-SR.2.169Assess supply chain riskL2-L3
CMMC-SR.3.177Employ SBOML2-L3
Sys & Comms Protection (SC) 16 controls
Control IDName
CMMC-SC.L1-3.13.1SC.L1-3.13.1 [L1]

Monitor/control/protect communications at boundaries

CMMC-SC.L1-3.13.5SC.L1-3.13.5 [L1]

Implement subnetworks for publicly accessible components

CMMC-SC.L2-3.13.10SC.L2-3.13.10 [L2]

Establish and manage cryptographic keys

CMMC-SC.L2-3.13.11SC.L2-3.13.11 [L2]

Employ FIPS-validated cryptography for CUI

CMMC-SC.L2-3.13.12SC.L2-3.13.12 [L2]

Prohibit remote activation of collaborative devices

CMMC-SC.L2-3.13.13SC.L2-3.13.13 [L2]

Control and monitor use of mobile code

CMMC-SC.L2-3.13.14SC.L2-3.13.14 [L2]

Control and monitor use of VoIP technologies

CMMC-SC.L2-3.13.15SC.L2-3.13.15 [L2]

Protect authenticity of communications sessions

CMMC-SC.L2-3.13.16SC.L2-3.13.16 [L2]

Protect confidentiality of CUI at rest

CMMC-SC.L2-3.13.2SC.L2-3.13.2 [L2]

Employ architectural designs for security

CMMC-SC.L2-3.13.3SC.L2-3.13.3 [L2]

Separate user functionality from system management

CMMC-SC.L2-3.13.4SC.L2-3.13.4 [L2]

Prevent unauthorized info transfer via shared resources

CMMC-SC.L2-3.13.6SC.L2-3.13.6 [L2]

Deny network traffic by default; allow by exception

CMMC-SC.L2-3.13.7SC.L2-3.13.7 [L2]

Prevent split tunneling on remote devices

CMMC-SC.L2-3.13.8SC.L2-3.13.8 [L2]

Encrypt CUI during transmission

CMMC-SC.L2-3.13.9SC.L2-3.13.9 [L2]

Terminate connections at end of sessions/after inactivity

Sys & Info Integrity (SI) 7 controls
Control IDName
CMMC-SI.L1-3.14.1SI.L1-3.14.1 [L1]

Identify, report, correct system flaws in timely manner

CMMC-SI.L1-3.14.2SI.L1-3.14.2 [L1]

Provide malicious code protection at appropriate locations

CMMC-SI.L1-3.14.4SI.L1-3.14.4 [L1]

Update malicious code protection when new releases available

CMMC-SI.L1-3.14.5SI.L1-3.14.5 [L1]

Perform periodic scans and real-time scans from external sources

CMMC-SI.L2-3.14.3SI.L2-3.14.3 [L2]

Monitor security alerts/advisories and take action

CMMC-SI.L2-3.14.6SI.L2-3.14.6 [L2]

Monitor systems for attack indicators (inbound/outbound)

CMMC-SI.L2-3.14.7SI.L2-3.14.7 [L2]

Identify unauthorized use of organizational systems

Crosswalk density to NIST CSF 2.0

Top 12 NIST CSF categories by number of CMMC 2.0 controls mapped. The distribution tells you where the framework's emphasis sits against NIST's six functions.

NIST categoryControls mapped
PR.AA27
PR.DS17
PR.PS17
DE.CM16
PR.IR10
DE.AE8
PR.AT7
ID.RA6
RS.AN6
GV.RM5
GV.RR5
AN.TI5

Frequently asked questions

Do I need CMMC certification if I don't handle CUI?

If you handle Federal Contract Information (FCI) but not CUI, you are subject to Level 1 — which covers 17 practices and allows annual self-attestation. If you handle CUI, Level 2 is required. If you're not a DoD contractor at all, CMMC does not apply.

When does CMMC take effect for my contracts?

The rollout is phased. DoD contracts began including CMMC requirements on December 16, 2024, but full enforcement across the DIB is expected over three years. Check specific contract clauses (DFARS 252.204-7021) or ask your contracting officer.

Can I self-assess at Level 2?

Only for a narrow subset of contracts deemed lower-criticality. Most Level 2 contracts require a C3PAO (CMMC Third-Party Assessor Organization) assessment every three years. Self-assessment is allowed for Level 1 and for certain Level 2 scopes — the contract tells you which applies.

Next

See your stack against CMMC 2.0

Start a free assessment, select CMMC 2.0 as a required framework, and see which controls your current tools already cover — and which gaps need new investment.

Start Free Assessment →All crosswalks