← Frameworks / Defense Regulation

Cybersecurity Maturity Model Certification 2.0 Level 2

US Department of Defense cybersecurity certification framework for the defense industrial base. Level 2 aligns to NIST SP 800-171 Rev 2 (110 security requirements) across 14 domains: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Required for contractors handling Controlled Unclassified Information (CUI). Third-party assessment (C3PAO) mandatory.

Clauses: 14

Avg Coverage: 90.8%

Publisher: U.S. Department of Defense (DoD) Version: 2.0 (2021)

CMMC 2.0 → SP 800-53 SP 800-53 → CMMC 2.0 Coverage Analysis

Clause	Title	SP 800-53 Controls
AC	Access Control	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-13 AC-14 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22 AC-24 IA-02 IA-04 IA-05
AT	Awareness and Training	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PM-13 PM-14 PL-04
AU	Audit and Accountability	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 AU-13 AU-14 AU-16 SI-04
CA	Security Assessment	CA-01 CA-02 CA-03 CA-04 CA-05 CA-06 CA-07 CA-08 CA-09 PM-06 PM-10 PM-14 PL-01 PL-02
CM	Configuration Management	CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-08 CM-09 CM-10 CM-11 CM-12 CM-13 CM-14 SA-10
IA	Identification and Authentication	IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 IA-08 IA-09 IA-10 IA-11 IA-12
IR	Incident Response	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 PM-12 SI-05
MA	Maintenance	MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 MA-07
MP	Media Protection	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 MP-08 CP-09 SC-28
PE	Physical Protection	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18
PS	Personnel Security	PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09
RA	Risk Assessment	RA-01 RA-02 RA-03 RA-04 RA-05 RA-06 RA-07 RA-08 RA-09 RA-10 PM-09 PM-28 CA-02 CA-08
SC	System and Communications Protection	SC-01 SC-02 SC-03 SC-04 SC-05 SC-07 SC-08 SC-10 SC-11 SC-12 SC-13 SC-15 SC-17 SC-18 SC-20 SC-21 SC-22 SC-23 SC-28 SC-39 SA-08
SI	System and Information Integrity	SI-01 SI-02 SI-03 SI-04 SI-05 SI-06 SI-07 SI-08 SI-10 SI-11 SI-12 SI-16 RA-05