🇺🇸 Live Defense & National Security

CMMC 2.0 (32 CFR Part 170)

Establishes a tiered cybersecurity maturity model that defense contractors must achieve to handle controlled unclassified information. Applies to organizations in the Department of Defense supply chain.

View official source document

24

Rules extracted

584

Obligations decomposed

24.3x

Avg obligations per rule

🇺🇸 United States

Jurisdiction

What AuditDSS covers

Source

1

Regulation

Extracted

24

Rules

Decomposed

584

Obligations

24.3x

Decomposition ratio

Each rule is decomposed into an average of 24.3 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 584 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in CMMC 2.0 is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
CMMC 2.0 (32 CFR Part 170)
Regulatory body
Department of Defense
Jurisdiction
🇺🇸 United States
Document type
regulation
Effective date
December 16, 2024
Industry
Defense & National Security
Official source
View source document ↗

Who this applies to

defense contractorssubcontractorssuppliers handling CUIdefense industrial base organizations

Key requirements

  • access control
  • identification and authentication
  • media protection
  • physical protection
  • system and communications protection
  • system and information integrity
  • third-party assessment

Frequently asked questions about CMMC 2.0

What is CMMC 2.0?
Establishes a tiered cybersecurity maturity model that defense contractors must achieve to handle controlled unclassified information. Applies to organizations in the Department of Defense supply chain.

Who does CMMC 2.0 apply to?
CMMC 2.0 applies to defense contractors, subcontractors, suppliers handling CUI, defense industrial base organizations.

How many obligations does CMMC 2.0 contain?
AuditDSS has decomposed CMMC 2.0 into 584 atomic obligations from 24 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of CMMC 2.0?
The key requirements include: access control, identification and authentication, media protection, physical protection, system and communications protection, system and information integrity, third-party assessment.

How can I assess my CMMC 2.0 compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 584 CMMC 2.0 obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces CMMC 2.0?
CMMC 2.0 is enforced in United States by Department of Defense.

When did CMMC 2.0 come into effect?
CMMC 2.0 became effective on December 16, 2024.

What industry does CMMC 2.0 apply to?
CMMC 2.0 is primarily relevant to the Defense & National Security industry. AuditDSS covers 69 regulations in this industry sector.

Build a CMMC 2.0 compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for CMMC 2.0 — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering CMMC 2.0 requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine CMMC 2.0 with other regulations into a single unified compliance pack for your business.

Build CMMC 2.0 compliance pack

Already have a policy? Assess it against CMMC 2.0

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 584 obligations

Your document is scored against every obligation in CMMC 2.0. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Defense & National Security

🇦🇺 Live

AU Climate Disclosure

10 rules, 52 obligations
🇦🇺 Live

DTCA

22 rules, 140 obligations
🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

SOCI Act 2018

10 rules, 32 obligations
🇦🇺 Live

Model WHS Act

10 rules, 41 obligations
🇺🇸 Live

DFARS Cybersecurity

346 rules, 7,483 obligations

Assess your CMMC 2.0 compliance

Upload your document and get a risk-scored gap analysis against 584 CMMC 2.0 obligations in under 5 minutes.

Start assessment Browse all regulations