The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a U.S. Department of Defense (DoD) framework that ensures organisations in the Defense Industrial Base (DIB) adequately protect sensitive information. CMMC 2.0 streamlines the original five-level model into three levels aligned with existing federal standards, primarily NIST SP 800-171 and NIST SP 800-172.
Venvera covers the full CMMC 2.0 lifecycle:
- Practices & Domains — Browse and manage the 110+ security practices across 14 domains
- Controls — Implement operational controls mapped to CMMC practices
- Gap Assessment & SPRS Score — Evaluate readiness and calculate your Supplier Performance Risk System score
- Evidence — Collect and organise artifacts that demonstrate practice implementation
- POA&Ms — Track Plan of Action & Milestones for remediation
- Assessments — Manage self-assessments, C3PAO, and DIBCAC engagements
- Management Reviews — Record governance decisions and action items
- Readiness — Track certification milestones and pre-assessment preparation
The Three CMMC 2.0 Levels
| Level | Name | Practices | Assessment | What it protects |
|---|---|---|---|---|
| Level 1 | Foundational | 17 practices (FAR 52.204-21) | Annual self-assessment | Federal Contract Information (FCI) |
| Level 2 | Advanced | 110 practices (NIST SP 800-171 r2) | Triennial C3PAO or self-assessment | Controlled Unclassified Information (CUI) |
| Level 3 | Expert | 110+ practices (NIST SP 800-172 subset) | Government-led (DIBCAC) assessment | CUI on highest-priority programs |
Key Concepts
| CUI | Controlled Unclassified Information — sensitive but unclassified information requiring safeguarding per NIST SP 800-171 |
| FCI | Federal Contract Information — information not intended for public release, provided by or generated for the government under a contract |
| C3PAO | CMMC Third-Party Assessment Organisation — accredited to conduct Level 2 assessments |
| DIBCAC | Defense Industrial Base Cybersecurity Assessment Center — conducts Level 3 assessments |
| SPRS | Supplier Performance Risk System — DoD portal for submitting self-assessment scores (range: -203 to 110) |
| SSP | System Security Plan — formal document describing security requirements and controls |
| POA&M | Plan of Action & Milestones — document identifying tasks to correct deficiencies |