What Are the CMMC Requirements? Here’s the Complete Breakdown

If you do business with the Department of Defense (DoD), you’ve probably heard about the Cybersecurity Maturity Model Certification (CMMC). CMMC is the DoD’s framework for making sure contractors properly safeguard sensitive information.

With CMMC 2.0, organizations fall into three levels of requirements depending on what kind of data they handle. Here’s what you need to know.

The Three Levels of CMMC 2.0

Level 1 – Foundational: Covers 17 basic safeguarding practices (from FAR 52.204-21) designed to protect Federal Contract Information (FCI). Think of this as good cybersecurity hygiene: restricting access to systems, identifying users, and protecting data when it’s transmitted.

Level 2 – Advanced: Requires 110 security practices aligned with NIST SP 800-171 to protect Controlled Unclassified Information (CUI). This is where requirements get more detailed: multi-factor authentication, vulnerability scans, incident response planning, and more.

Level 3 – Expert: Applies to contractors working with the most sensitive programs. It draws from NIST SP 800-172 and focuses on advanced, proactive defenses.

The 14 Domains of CMMC

Every requirement falls under one of 14 domains. These categories give structure to the framework:

• Access Control (AC)
• Awareness & Training (AT)
• Audit & Accountability (AU)
• Configuration Management (CM)
• Identification & Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PE)
• Risk Assessment (RA)
• Security Assessment (CA)
• System & Communications Protection (SC)
• System & Information Integrity (SI)

Examples of What’s Required

Instead of dropping 110 technical requirements here (you can view the full list in the official DoD documents), let’s look at some examples at each level:

• Limit system access to authorized users.
• Identify and authenticate users before granting access.
• Protect information during transmission.

• Implement multi-factor authentication.
• Generate and review audit logs.
• Perform regular vulnerability scans.
• Create and test an incident response plan.

• Advanced monitoring and detection.
• Proactive defense against sophisticated cyber threats.

Why This Matters

For contractors, compliance with CMMC isn’t optional. It’s the key to keeping and winning DoD contracts. The challenge is that the framework can feel overwhelming. It’s not just about technology. It’s also about policies, processes, and training.

How ComTec Solutions Can Help

At ComTec Solutions, our CMMC Ready services are designed to align directly with the requirements and best practices of CMMC 2.0. When you partner with us, you get the tools and support you need to reach and maintain compliance, including:

• Password Manager to strengthen credential security
• Security and Compliance Management Software to monitor and enforce policies
• Email Spam Filtering for proactive protection against threats
• Microsoft GCC
• Cloud Backup Software and Storage to ensure business continuity and data protection

And beyond the core tools, we also provide optional services to help you prepare for and sustain compliance:

• Annual Penetration Testing
• Annual Disaster Recovery Testing
• CMMC Gap Analysis
• Annual CMMC Assessment
• Annual Incident Response Testing

Whether you’re just starting at Level 1 or preparing for Level 2 certification, we’ll make sure you have the people, processes, and technology in place to succeed.

Ready to take the next step? Contact us today to talk with our CMMC experts.