What is CMMC 2.0?

Cyber Maturity Model Upgraded

What is CMMC 2.0?

If you’re an Australian business exploring opportunities in the US defence sector, you’ve probably heard references to CMMC 2.0. You may even know companies that are being asked by US primes or partners if they’re compliant. But what exactly does “2.0” mean, how is it different from the original model, and why does it matter for Australian organisations?

The Evolution of CMMC

The original CMMC framework was launched in 2020. It aimed to ensure all contractors in the US defence supply chain met baseline cyber security standards. However, feedback from industry quickly highlighted that the five-level structure was complex, costly, and in some cases, impractical for small and mid-sized businesses.

In response, the US Department of Defense streamlined the model, creating CMMC 2.0 in 2021. This version reduces complexity, aligns more closely with existing standards like NIST SP 800-171, and provides a more practical path for businesses of all sizes.

The Three Levels of CMMC 2.0

The most important change is the reduction from five certification levels to three. Each level reflects the type of information you’ll be handling and the level of security expected:

  1. Level 1 – Foundational

    Focused on protecting Federal Contract Information (FCI).

    • Requirements: 17 basic security practices (based on FAR 52.204-21).

    • Assessment: Self-assessment for most contracts.

    • Relevance: Suitable for businesses dealing with less sensitive US Defence work.

  2. Level 2 – Advanced

    Required for companies handling Controlled Unclassified Information (CUI).

    • Requirements: 110 practices aligned with NIST SP 800-171.

    • Assessment: Mix of self-assessments and third-party certification depending on contract sensitivity.

    • Relevance: The majority of Australian businesses targeting US Defence contracts will fall into this level.

  3. Level 3 – Expert

    Designed for the most sensitive and critical defence projects.

    • Requirements: Based on NIST SP 800-172 (enhanced security controls).

    • Assessment: Government-led assessments.

    • Relevance: Only a small number of highly specialised businesses will need this level.

Why the Change Matters

CMMC 2.0 introduces several key shifts that are particularly relevant for Australian companies:

  • Simplification: Fewer levels mean a clearer roadmap to compliance.

  • Alignment with NIST: Many businesses already follow NIST standards, so compliance efforts are more streamlined.

  • Flexibility in Assessments: Not all businesses will require third-party certification. Some can meet obligations through self-assessment, reducing cost and complexity.

What Does This Mean for Australian Businesses?

If you are an Australian business looking to supply into the US Defence ecosystem, you need to determine:

  • Whether your contracts involve FCI or CUI.

  • Which level of CMMC 2.0 is required.

  • How far your existing frameworks (DISP, ISO 27001, or internal security practices) already align with NIST 800-171.

This is where many businesses discover gaps. For example, DISP compliance may overlap with CMMC requirements, but it doesn’t automatically guarantee NIST 800-171 alignment.

Common Challenges in Meeting CMMC 2.0?

Australian companies often encounter three main challenges:

  1. Documentation and Evidence: It’s not enough to have controls in place — you must also show evidence of how they’re applied.

  2. Continuous Monitoring: CMMC requires ongoing practices, not a one-time uplift.

  3. Navigating US Certification: Understanding the role of US-accredited assessors can be complex for non-US companies.

Why External Expertise is Required?

CMMC 2.0 is not just a checklist of IT controls — it’s a structured maturity model built around the US NIST standards, with evidence, documentation, and governance requirements that go far beyond typical cyber uplift projects. For most Australian businesses, this introduces three challenges:

  • Complexity of Standards: NIST 800-171 is highly detailed and technical, requiring interpretation in the context of your existing environment.

  • Overlap with Other Frameworks: Many businesses already follow DISP or ISO 27001. Without external expertise, it’s easy to duplicate effort or miss critical gaps.

  • Certification Pathways: US Defence contracts require assessment by accredited US bodies. Navigating this process from Australia without established connections can be slow, costly, and confusing.

For these reasons, relying solely on internal resources is rarely enough. External expertise helps you interpret the standards, streamline the uplift, and access certification without unnecessary delays or wasted investment.

CMMC 2.0 is more than just a revision — it’s a clearer, more practical framework designed to strengthen the US Defence supply chain without creating unnecessary barriers. For Australian businesses, it’s an opportunity to align with a globally recognised standard, demonstrate resilience, and unlock new market opportunities.

Where to Start?

Most businesses benefit from starting with a CMMC Assessment to understand their current maturity level and identify priority actions. From there, you can create a targeted uplift plan to reach your compliance and security goals.

Ready to find out where your business stands?

Learn about our CMMC Assessment and Uplift Services