How is the CMMC 2.0 model structured?

In November 2021, the US Department of Defence (DoD) announced CMMC 2.0. This new iteration of the CMMC model restructured and repurposed it, increasing the number of controls that businesses needed to meet to gain certification as well as associating it directly with NIST SP 800-171 and SP 800-172.

By coordinating with the National Institute of Standards and Technology (NIST), the DoD were able to create a simpler structure, built around the 800-171 and SP 800-172 controls. Whilst these controls were stricter and more difficult to meet, the system was easier to follow for businesses. As well as looking to improve the cyber security readiness of the defence industrial base, the DoD wanted to provide a certification that was clear and understandable.