CMMC 2.0 Levels Explained: Advanced and Expert Cybersecurity Guide

MMC 2.0 Level 2 (Advanced)
Level 2 (Advanced) is the second level of the CMMC 2.0 framework. It is an intermediate level that requires companies to implement more specific practices to protect CUI. Companies must demonstrate that they are following the best practices in their industry when it comes to cybersecurity. A total of 110 practices must be implemented at this level, which includes configuration management, incident response, identification and authentication, and maintenance.

CMMC 2.0 Level 3 (Expert)
Level 3 (Expert) is the highest level of the CMMC 2.0 framework. It requires companies to have an in-depth understanding of the cybersecurity best practices to protect CUI. For Level 3, there are 134 required controls (110 from NIST SP 800-171 and an additional 24 from NIST SP 800-172). These controls are a means of managing risk that includes policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature, and are specified by NIST SP 800-171, NIST SP 800-172, and FAR 52.204-21. These practices sit under 14 different domains that are a subset of NIST SP 800-172. CMMC 2.0 requires the contractor to go beyond mere documentation of processes and instead have an active role in the management and implementation of the controls in order to provide the highest level of security possible.