CMMC

Josef Kamara, CPA, CISSP, CISA · Updated May 2, 2026 · 1 minute read

CMMC 2.0

The Department of Defense's revised Cybersecurity Maturity Model Certification program, codified at 32 CFR Part 170 and finalized December 16, 2024. CMMC 2.0 collapses the original five maturity levels to three (Level 1 self-assessment, Level 2 third-party assessment, Level 3 government-led assessment) and aligns Level 2 directly to the 110 controls in NIST SP 800-171 Revision 2. The corresponding DFARS contract clause 252.204-7021 began phasing into solicitations in 2025 on a four-phase rollout that completes in 2028.

From the library

The full analysis on CMMC 2.0.

The article is where the term meets the practitioner. Read how this concept actually shows up in audit, in remediation, and in the boardroom.

Read the analysis →
The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.