What is CMMC? CMMC 2.0 Levels + DIB Physical Security

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense compliance program for the defense industrial base (DIB), the roughly 220,000 contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). CMMC 2.0 (effective late 2024 with phased implementation through 2028) defines three levels: Level 1 (basic FCI handling), Level 2 (NIST SP 800-171, CUI handling), Level 3 (advanced threats, NIST SP 800-172). Physical security controls include facility access, visitor management, media protection, and personnel security. Cleared facilities at Level 3 typically require mantraps and dual-control access at CUI zones.

The short definition

Announced in 2019 and revised as CMMC 2.0 in late 2021, the program responds to repeated theft of CUI from DIB contractors. The 2.0 model simplified the original five levels into three, reduced self-assessment scope, and added flexibility for small businesses. Implementation began in 2024 and rolls out across DoD solicitations through 2028.

Physical security is one slice of CMMC. Most requirements are cyber-focused: encryption, access management, incident response, configuration management. Physical access and visitor management cluster around 15 to 20 of the 110 controls at Level 2.

CMMC 2.0 levels

Level 1: Foundational. 17 controls protecting Federal Contract Information (FCI). Self-assessed annually. Most DIB contractors operate at Level 1 unless they handle CUI.
Level 2: Advanced. 110 controls from NIST SP 800-171 for CUI handling. Third-party assessed by a Certified Third-Party Assessment Organization (C3PAO) every 3 years for most contracts. The default level for mid-tier and prime contractors handling controlled technical data.
Level 3: Expert. Adds 24 controls from NIST SP 800-172 for protection against advanced persistent threats. Government-led assessment by DCMA DIBCAC. Top-tier programs (research labs, weapons systems, advanced electronics).

Physical security controls at Level 2

The physical and environmental protection family (PE) covers most of the relevant controls.

PE.L2-3.10.1: Limit physical access. Badge readers, locked rooms, restricted entry to systems handling CUI.
PE.L2-3.10.2: Protect during transport. Authorize and monitor entry of and exit from CUI areas.
PE.L2-3.10.3: Escort visitors. Visitors in CUI areas under escort. Visitor logs with photo capture.
PE.L2-3.10.4: Maintain audit logs. Physical access logs reviewed at least quarterly.
PE.L2-3.10.5: Control physical access devices. Manage badges, keys, locks. Termination revocation.
PE.L2-3.10.6: Enforce safeguarding measures for CUI at alternative work sites. Home offices, satellite locations holding CUI.

Camera and access design at DIB sites

Standard pattern for CMMC Level 2 readiness:

Cameras at CUI room entry. Dome or bullet at the door, 90-day retention minimum. NDAA-compliant vendor (Axis, Hanwha, Avigilon, Bosch).
Badge access with audit trail. Multi-format reader at the CUI room door. Centralized PACS, role-based access, quarterly review.
Visitor management. Digital sign-in with photo capture and badge issuance. Escort enforcement at CUI rooms.
Termination revocation. HR-to-PACS automation; badge revoked within hours of separation.
Workstation screen protection. Privacy filters or seated screens visible only to the operator. Camera placement avoids screen capture.

Level 3 additions

Top-tier facilities handling controlled technical data, weapons systems, or advanced research add:

Mantraps at CUI rooms. Two-door vestibules or single-occupant booths.
MFA at all sensitive doors. Badge plus PIN minimum; biometric where threat justifies.
Continuous physical monitoring. Verified-monitoring or guard-staffed central station with response procedures.
Insider threat program. Camera analytics for unusual behavior, integration with HR signals, formal investigation procedures.

When to ask Tec-Tel about CMMC

DIB contractors approaching first-time Level 2 assessment, or facing C3PAO findings on physical security. We'll inventory existing camera and access infrastructure, identify gaps against the PE control family, scope the remediation, and pair with the customer's CMMC consultant. Free scoping call.

Frequent buyer questions

What's the difference between CMMC and NIST SP 800-171?

NIST SP 800-171 is the underlying control catalog (110 controls) for protecting CUI. CMMC is the certification framework that requires defense contractors to implement and verify those controls. CMMC Level 2 maps directly to NIST SP 800-171. CMMC adds independent third-party assessment (C3PAO) for prime contractors and self-attestation for some lower-tier subcontractors. Compliance with NIST SP 800-171 doesn't automatically equal CMMC compliance; the assessment and certification cycle is separate.

What are the three CMMC 2.0 levels?

Level 1 (Foundational): 17 basic controls for protecting Federal Contract Information. Self-assessed annually. Roughly 80 percent of the DIB. Level 2 (Advanced): 110 controls from NIST SP 800-171 for CUI handling. Third-party assessed for most contracts. Mid-tier and prime contractors. Level 3 (Expert): adds 24 controls from NIST SP 800-172 for advanced persistent threat protection. Government-led assessment. Top-tier programs only.

What physical security controls does CMMC require?

Common CUI zone requirements at Level 2: cameras at facility entry and CUI rooms with at least 90-day retention, badge access with audit trail at CUI rooms, visitor management with photo capture and escort, screen-protection at workstations handling CUI, and locked storage for paper CUI. Level 3 adds mantraps or equivalent at CUI rooms, MFA at all sensitive doors, and tighter monitoring controls.

When does CMMC become mandatory for DoD contracts?

CMMC 2.0 implementation began in late 2024 with phased rollout through 2028. Initial DoD solicitations referenced CMMC requirements; by 2026 most CUI-handling contracts include CMMC requirements. Contracts of any value that touch CUI typically require Level 2 certification or higher. New solicitations after the phased implementation date refuse bids from non-certified contractors. The compliance lead-time is real: most contractors need 12 to 18 months to achieve Level 2.

Are Hikvision and Dahua banned from CMMC environments?

Yes, indirectly. NDAA Section 889 already prohibits Hikvision, Dahua, Hytera, Huawei, and ZTE in federal contracts. Defense contractors at Level 2 or 3 must comply with all federal supply chain rules. Replacing Hikvision and Dahua cameras is the typical first step in CMMC physical-security uplift. See the NDAA Section 889 entry for the full procurement framework.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400