Skip to main content
Achieve Cybersecurity Maturity Model Certification for the US defense supply chain.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a US Department of Defense program that verifies defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 has three levels, building on NIST SP 800-171 and 800-172.
CMMC certification is required for contractors and subcontractors in the Defense Industrial Base (DIB) that handle FCI or CUI.

Who needs CMMC v2.0?

Defense contractors

Any organization in the DoD supply chain handling FCI or CUI must achieve the required CMMC level.

Subcontractors

Flow-down requirements mean subcontractors must also meet CMMC levels appropriate to the data they handle.

Key components

Level 1 — Foundational

17 basic safeguarding practices for protecting FCI. Annual self-assessment.

Level 2 — Advanced

110 practices aligned with NIST SP 800-171. Third-party assessment for prioritized programs.

Level 3 — Expert

Adds NIST SP 800-172 enhanced practices. Government-led assessment.

CUI protection

Controls specifically designed to protect Controlled Unclassified Information.

How DSALTA helps with CMMC v2.0

1

Activate CMMC

Select CMMC v2.0 and your target level. DSALTA maps the relevant practices to controls.
2

Review mapped controls

Review NIST 800-171-aligned controls and assign owners.
3

Collect evidence automatically

Connect integrations to gather technical evidence continuously.
4

Document an SSP

Build your System Security Plan and Plan of Action & Milestones (POA&M).
5

Prepare for assessment

Organize evidence for self-assessment or a C3PAO assessment.

Frequently asked questions

It depends on the data you handle. Level 1 for FCI only; Level 2 for most CUI; Level 3 for the most sensitive programs. Your DoD contract specifies the requirement.
CMMC Level 2 maps directly to the 110 controls in NIST SP 800-171. If you already meet 800-171, you are well positioned for Level 2.