🛡️
CMMC 2.0
The DoD's standard for protecting defense supply chains.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for verifying that defense contractors protect sensitive government information. Published as a final rule in October 2024 and effective December 16, 2024, CMMC replaces self-attestation with verified assessments. Contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must implement specific cybersecurity practices at one of three maturity levels. Phased implementation began November 2025, with full enforcement across all applicable DoD contracts within three years.
● Key Facts
-
✓
Level 1: 17 practices (FAR 52.204-21), protects FCI, annual self-assessment
-
✓
Level 2: 110 requirements (NIST SP 800-171 R2), protects CUI, C3PAO assessment required for most contracts
-
✓
Level 3: Level 2 + 24 enhanced requirements (NIST SP 800-172), government DIBCAC assessment
-
✓
Who must comply: Defense contractors and subcontractors at all tiers handling FCI or CUI
How Altivus Helps
We guide defense contractors through CMMC scoping, gap remediation, and certification readiness.
Start Your CMMC Assessment →
📐
NIST CSF 2.0
Flexible, scalable risk management for any organization.
Released February 2024, NIST CSF 2.0 provides a flexible, outcome-driven approach to managing cybersecurity risk. Version 2.0 added a sixth core function, Govern, emphasizing leadership accountability and integrating cybersecurity into enterprise risk management. The framework organizes activities into six functions (Govern, Identify, Protect, Detect, Respond, Recover) with 22 categories and 106 subcategories. Unlike CMMC, CSF 2.0 is voluntary and sector-agnostic, making it adaptable for critical infrastructure, healthcare, finance, and K-12 education.
● Key Facts
-
✓
6 core functions: Govern (new in 2.0), Identify, Protect, Detect, Respond, Recover
-
✓
4 implementation tiers: Partial, Risk-Informed, Repeatable, Adaptive
-
✓
22 categories, 106 subcategories
-
✓
Voluntary and scalable — any size organization, any sector
-
✓
Maps to NIST 800-171, ISO 27001, and CIS Controls
How Altivus Helps
We help organizations implement CSF 2.0 to build resilient cybersecurity programs aligned with business risk priorities.
Start Your NIST CSF Assessment →
🔒
CIS Controls v8.1
Prioritized cyber hygiene for schools and small businesses.
The CIS Controls v8.1, published by the Center for Internet Security, is a prioritized set of 18 cybersecurity best practices with 153 safeguards organized into three Implementation Groups. IG1 provides foundational cyber hygiene (56 safeguards) essential for all organizations. IG2 adds depth for enterprises with more complex environments (130 total), and IG3 covers mature organizations with specialized security teams (153 total). Widely adopted by K-12 schools, SMBs, and municipalities seeking practical, cost-effective security baselines.
● Key Facts
-
✓
18 controls, 153 total safeguards
-
✓
IG1: 56 safeguards (essential cyber hygiene, ideal starting point)
-
✓
IG2: 130 total (adds 74 for mid-sized enterprises)
-
✓
IG3: 153 total (adds 23 for advanced security programs)
-
✓
Ideal for K-12 schools and SMBs with limited cybersecurity staff
-
✓
Maps to NIST CSF, CMMC, and ISO 27001
How Altivus Helps
We support organizations in adopting CIS Controls at the right Implementation Group level with gap assessments and sustainable programs.
Start Your CIS Controls Assessment →