Skip to content
Learn
Get help ↗

Foundations · Topic 04

Key Documents.

The source documents that define CMMC Level 2 and how they relate to each other.

Key Documents

CMMC Level 2 doesn’t sit in one document. It sits in three layers that work together: the regulations that bind you contractually, the technical standard that defines the 110 requirements, and the DoD-issued operational guides that describe how the requirements are assessed and scoped. Understanding the three layers saves you from reading 600+ pages of overlapping content without knowing what’s authoritative.

Layer 1 — Regulations

Section titled “Layer 1 — Regulations”

These are the rules that put CMMC into your contracts.

32 CFR Part 170 — the CMMC Program Rule. Defines the program: levels, scoring methodology, assessment process, POA&M rules, affirmation rules, flow-down obligations, terminology. Published 15 October 2024, effective 16 December 2024. This is the legal foundation. When this reference cites ”§ 170.21” or ”§ 170.24,” it’s pointing to sections of this rule.

DFARS 252.204-7021 — the CMMC Certificate clause. The binding clause that requires a contractor to hold the appropriate CMMC status at the time of award and throughout contract performance. Effective 10 November 2025. This is the clause that flows CMMC into solicitations.

DFARS 252.204-7025 — the CMMC Notice clause. Tells offerors which CMMC level a solicitation requires. Goes alongside 7021.

DFARS 252.204-7012Safeguarding CDI clause. Requires implementation of NIST SP 800-171 and reporting of cyber incidents. In effect since 2017. CMMC doesn’t replace 7012 — it adds verification of compliance with it.

DFARS 252.204-7019 / 7020 — the existing Assessment Requirements clauses. Required SPRS submission of NIST 800-171 self-assessment scores from November 2020 onwards. Pre-CMMC infrastructure that CMMC builds on.

FAR 52.204-21Basic Safeguarding clause. The 15 requirements that define Level 1. Applies broadly to any contractor handling FCI; pre-dates CMMC.

Layer 2 — Technical standard

Section titled “Layer 2 — Technical standard”

This is the technical baseline against which assessments measure you.

NIST SP 800-171 Rev 2 — Defines the 110 security requirements organised across 14 families. Published February 2020. Tells you what you must do. The CMMC Level 2 baseline.

NIST SP 800-171A — The companion assessment guide. Decomposes the 110 requirements into 320 determination statements (granular testable items, lettered [a], [b], [c]…). For each requirement: what documents to examine, who to interview, what to test. The assessor’s evidence checklist.

NIST SP 800-172 — Source of the 24 additional requirements at CMMC Level 3. Not in scope for Level 2 contractors.

Layer 3 — DoD-issued operational guides

Section titled “Layer 3 — DoD-issued operational guides”

These are DoD’s layer on top of NIST. They incorporate the technical requirements and add CMMC-specific scoring rules, examples, and assessor guidance.

CMMC Assessment Guide – Level 2 (Version 2.13, September 2024) — DoD’s playbook for Level 2 assessments. Adds CMMC-specific scoring rules (MET / NOT MET / N/A), practical guidance per requirement, real-world examples. Used by C3PAOs during certification assessments.

CMMC Scoping Guide – Level 2 (Version 2.13, September 2024) — Defines how to determine your assessment boundary. Five asset categories (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialised Assets, Out-of-Scope Assets), separation techniques, ESP rules, enclave models. This document controls your compliance costs more than any other.

Both guides are maintained by the DoD CIO and published at dodcio.defense.gov/cmmc.

How they relate

Section titled “How they relate”
32 CFR Part 170                  → The program (legal binding)
       
DFARS 252.204-7021               → Puts CMMC into your contract
       
NIST SP 800-171 Rev 2            → What you must do (110 requirements)
       
NIST SP 800-171A                 → How to prove you did it (320 determination statements)
       
CMMC Assessment Guide – Level 2  → How the C3PAO evaluates it (scoring + guidance)
       
CMMC Scoping Guide – Level 2     → What gets assessed (boundary definition)

Rev 2 vs Rev 3

Section titled “Rev 2 vs Rev 3”

NIST published NIST SP 800-171 Rev 3 on 14 May 2024, formally superseding Rev 2 in NIST’s publication history. Rev 3 reorganises control families (17 families instead of 14), introduces 88 organisation-defined parameters (ODPs), and aligns with NIST SP 800-53 Rev 5.

However, CMMC remains locked to Rev 2 under DoD Class Deviation 2023-O0006, which has no published expiration date. Every CMMC assessment, every SPRS submission, every C3PAO certification continues to use Rev 2 as the baseline. The DoD has stated it will incorporate Rev 3 through future rulemaking but has not announced a transition timeline; an April 2025 DoD memo defining ODP values for Rev 3 was a preparatory signal, not a transition.

Practical rule: build your CMMC programme against Rev 2. Track Rev 3 as a future-planning exercise. Don’t restructure your documentation around Rev 3 while the assessment baseline is still Rev 2 — assessors will measure you against Rev 2 and structural mismatches create avoidable findings.

This entire reference is built on Rev 2.