System Status: Operational/// DISP DEFENCE TECH NETWORK ///DISP COMPLIANCE PLATFORM
SD
SeriousDefence
Framework Intelligence

Essential Eight ML2 vs CMMC 2.0 Level 2

The complete gap analysis for Australian defence companies navigating dual-framework compliance. Understand exactly what each framework requires, where they overlap, and the 10 control domains that CMMC 2.0 adds beyond the Essential Eight.

Book a Compliance AssessmentDownload DISP Checklist

Why This Comparison Matters Now

Two regulatory changes in late 2024 and 2025 have created a new compliance reality for Australian defence companies. First, in October 2024, the Defence Industry Security Office (DISO) elevated the minimum cyber security requirement for all DISP applications and renewals from the ASD "Top 4" to the full Essential Eight at Maturity Level 2 (ML2). This change affects every company seeking or maintaining DISP membership — the gateway to Australian defence contracts.

Second, in November 2025, the US Department of Defense began Phase 1 implementation of Cybersecurity Maturity Model Certification (CMMC) 2.0, with requirements being phased into US DoD contracts over a three-year rollout. For Australian companies pursuing work through AUKUS Pillar II or bidding directly on US DoD contracts, CMMC 2.0 Level 2 certification is becoming a contract prerequisite — required at the time of contract award.

The critical question for Australian defence companies is: if we achieve E8ML2 for our DISP membership, how much additional work is required to achieve CMMC 2.0 Level 2? The answer, based on a systematic analysis of both frameworks, is that E8ML2 covers approximately 40–50 per cent of CMMC 2.0 Level 2 requirements. The remaining 50–60 per cent represents governance, documentation, and process controls that the Essential Eight does not address.

Framework Fundamentals

AUSTRALIAN FRAMEWORK

Essential Eight ML2

Developed by the Australian Signals Directorate (ASD), the Essential Eight is a prioritised set of eight mitigation strategies designed to protect organisations against the most common cyber threats. At Maturity Level 2, organisations must implement all eight controls consistently across all systems in scope, with evidence of effectiveness rather than mere policy documentation.

8 controls, 107 individual requirements at ML2
Mitigation-focused: technical controls only
Mandatory for DISP Baseline membership (Oct 2024)
Assessed by IRAP-accredited assessors
Annual review through DISP Annual Security Report
Governed by ASD / cyber.gov.au
US DoD FRAMEWORK

CMMC 2.0 Level 2

The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense's framework for ensuring contractors protect Controlled Unclassified Information (CUI). Level 2 is based on NIST SP 800-171 Rev 2 and requires 110 practices across 14 control domains, plus formal documentation in the form of System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms).

110 practices across 14 control domains
Process + documentation + technical controls
Mandatory for US DoD contracts (Phase 1: Nov 2025)
Assessed by C3PAO (Third-Party Assessment Org)
Requires System Security Plan (SSP) and POA&M
Governed by US DoD / CMMC Accreditation Body

Control Domain Coverage: The Complete Gap Analysis

The following table maps each of the 14 CMMC 2.0 Level 2 control domains against the Essential Eight ML2 controls. Green indicates strong coverage, amber indicates partial coverage, and red indicates no Essential Eight equivalent — meaning these domains require entirely new controls and documentation for CMMC compliance.

CMMC 2.0 DomainNIST 800-171 FamiliesE8ML2 CoverageKey Gap for Australian Companies
System & Information Integrity (SI)3.14.x — Malware protection, security alerts, patchingStrongE8 Controls 1 & 2 (patch applications, patch OS) directly address SI requirements. Minimal additional work required.
Identification & Authentication (IA)3.5.x — User identification, authentication, MFAStrongE8 Control 7 (MFA) addresses core IA requirements. CMMC adds authenticator management and replay-resistant authentication specifics.
Configuration Management (CM)3.4.x — Baseline configs, change control, least functionalityPartialE8 Control 5 (application control) covers some CM requirements. CMMC additionally requires documented baseline configurations, formal change control processes, and least functionality enforcement across all systems.
Contingency Planning (CP)3.8.x — Backup, recovery, continuityPartialE8 Control 8 (regular backups) covers the technical backup requirement. CMMC requires a formal contingency plan document, tested recovery procedures, and alternate processing site considerations.
Access Control (AC)3.1.x — CUI access, remote access, mobile devicesPartialE8 Control 6 (restrict admin privileges) covers privileged access. CMMC adds CUI-specific access controls, remote access management, mobile device controls, and public access restrictions.
Audit & Accountability (AU)3.3.x — Audit logging, review, retentionPartialE8 ML2 requires centralised logging for some controls. CMMC requires comprehensive audit logging across all systems, regular log review processes, log retention policies, and protection of audit logs from modification.
Incident Response (IR)3.6.x — IR capability, reporting, testingNoneNo E8 equivalent. CMMC requires a documented incident response capability, defined IR procedures, testing of IR plans, and specific reporting timelines to the US DoD. This is a significant new workstream for most Australian companies.
Media Protection (MP)3.8.x — Media access, sanitisation, transportNoneNo E8 equivalent. CMMC requires controls over all media containing CUI: access restrictions, sanitisation before disposal, transport controls, and media use restrictions. Physical media management processes must be established.
Physical Protection (PE)3.10.x — Physical access to CUI systemsNoneNo E8 equivalent. CMMC requires documented physical access controls to facilities and systems processing CUI, visitor management, and physical access monitoring. DISP covers physical security separately through the DSPF, but the CMMC requirements are distinct.
Risk Assessment (RA)3.11.x — Risk assessments, vulnerability scanningNoneNo E8 equivalent. CMMC requires formal risk assessments, periodic vulnerability scanning, and documented risk response plans. E8 mandates patching but does not require a formal risk assessment process or documented risk register.
Security Assessment (CA)3.12.x — SSPs, POA&Ms, periodic assessmentsNoneNo E8 equivalent. This is arguably the largest gap. CMMC requires a System Security Plan (SSP) documenting every control, a Plan of Action and Milestones (POA&M) for every gap, and periodic security assessments. The SSP alone can be a 100+ page document.
Supply Chain Risk Management (SR)3.17.x — Supply chain riskNoneNo E8 equivalent. CMMC Level 2 requires supply chain risk management controls: assessing suppliers, including security requirements in contracts, and monitoring supply chain risks. Australian companies must extend their security requirements to their own subcontractors.
Personnel Security (PS)3.9.x — Screening, termination, transferNoneNo E8 equivalent. CMMC requires personnel security screening before access to CUI, defined termination procedures to revoke access, and transfer procedures. DISP covers personnel security through the DSPF, but CMMC requirements are specific to CUI handling.
Awareness & Training (AT)3.2.x — Security awareness, role-based trainingNoneNo E8 equivalent. CMMC requires documented security awareness training for all personnel with CUI access, and role-based training for personnel with security responsibilities. Training records must be maintained and reviewed.

Sources: ASD Essential Eight Maturity Model (cyber.gov.au, November 2023); CMMC 2.0 Level 2 Assessment Guide v2.13 (dodcio.defense.gov); NIST SP 800-171 Rev 2 (nvlpubs.nist.gov).

The 10 Control Domains With No Essential Eight Equivalent

Of the 14 CMMC 2.0 Level 2 control domains, 10 have no direct Essential Eight equivalent. These represent the primary compliance gap for Australian companies that have achieved E8ML2 for DISP but are now pursuing CMMC certification. Each requires the establishment of new processes, documentation, and in some cases, new technical controls.

01

Incident Response (IR)

High Effort

CMMC requires a documented incident response capability with defined procedures for detecting, reporting, and recovering from incidents. Critically, it requires specific reporting timelines to the US DoD — contractors must report incidents involving CUI within 72 hours. Most Australian companies have informal incident response processes; CMMC requires these to be formalised, documented, tested, and rehearsed.

02

Security Assessment (CA) — SSPs and POA&Ms

Very High Effort

The System Security Plan (SSP) is the cornerstone of CMMC compliance. It is a comprehensive document that describes the system boundary, all hardware and software in scope, how each of the 110 CMMC practices is implemented, and who is responsible for each control. The Plan of Action and Milestones (POA&M) documents every control that is not yet fully implemented, with remediation timelines. For most organisations, creating these documents from scratch is the single largest effort in a CMMC readiness programme.

03

Risk Assessment (RA)

Medium Effort

CMMC requires periodic risk assessments that identify threats and vulnerabilities to CUI, assess the likelihood and impact of exploitation, and document risk response decisions. This is distinct from vulnerability scanning (which E8 addresses through patching requirements) — it requires a formal risk management process with documented outputs. Many Australian companies have never conducted a formal risk assessment against a structured framework.

04

Awareness & Training (AT)

Medium Effort

CMMC requires documented security awareness training for all personnel with access to CUI, and role-based security training for personnel with security responsibilities. Training must be conducted at hire and periodically thereafter, with records maintained. The content must cover the specific threats relevant to the organisation's CUI handling activities. This is a new ongoing operational requirement with no Essential Eight equivalent.

05

Supply Chain Risk Management (SR)

High Effort

CMMC Level 2 requires organisations to manage cybersecurity risks in their supply chains. This means assessing the security practices of suppliers and subcontractors who will have access to CUI, including CMMC requirements in supplier contracts, and monitoring supplier compliance over time. For Australian companies with complex supply chains, this requirement cascades security obligations down to subcontractors — who may themselves need to achieve CMMC compliance.

06

Media Protection (MP)

Medium Effort

CMMC requires controls over all physical and digital media containing CUI: restricting access to authorised users, sanitising media before disposal or reuse, controlling the transport of media outside secure facilities, and maintaining an inventory of media. For most Australian companies, this requires establishing new procedures for handling USB drives, hard drives, printed documents, and other media containing defence information.

07

Physical Protection (PE)

Low-Medium Effort

CMMC requires documented physical access controls to facilities and systems that process CUI. This includes controlling physical access to systems, maintaining visitor logs, managing physical access credentials, and monitoring physical access. While DISP addresses physical security through the Defence Security Principles Framework (DSPF), the CMMC physical protection requirements are specifically tied to CUI handling and require separate documentation.

08

Personnel Security (PS)

Low-Medium Effort

CMMC requires screening individuals prior to authorising access to CUI, establishing termination procedures to ensure access is revoked when personnel leave, and managing access during personnel transfers. Again, while DISP addresses personnel security through the DSPF, the CMMC requirements are specifically tied to CUI access and require documented procedures that are distinct from DISP personnel security requirements.

09

Maintenance (MA)

Low Effort

CMMC requires controls over the maintenance of systems that process CUI, including controlling maintenance tools, requiring multi-factor authentication for remote maintenance, and maintaining records of maintenance activities. This is often overlooked in initial CMMC gap analyses but represents a real compliance gap for organisations that allow third-party IT support providers to access systems containing CUI.

10

System & Communications Protection (SC)

Medium Effort

CMMC requires network segmentation to isolate CUI from other systems, monitoring of communications at external boundaries, and encryption of CUI in transit. While E8 addresses some communications security through application hardening, CMMC's SC domain requires a more comprehensive network architecture review and may require significant infrastructure changes for organisations that have not previously segmented their networks around CUI handling.

The Dual Compliance Strategy: Building Once, Satisfying Both

The most efficient path to dual compliance is to design your security programme from the outset to satisfy both frameworks simultaneously. The key insight is that E8ML2 and CMMC 2.0 are not competing frameworks — they are complementary layers of a single security architecture.

The recommended approach is to treat E8ML2 as the technical foundation — implementing the eight controls at ML2 provides the patching, MFA, application control, and backup capabilities that CMMC also requires. On top of this technical foundation, build the CMMC governance superstructure: the SSP, POA&M, risk assessment process, incident response plan, awareness training programme, and supply chain risk management controls. This approach avoids the cost of building two separate compliance programmes and ensures that evidence collected for DISP (IRAP assessment reports, vulnerability scan results, backup test records) can also be used as evidence for CMMC assessments.

Phase 1

E8ML2 Foundation

  • Patch all applications and OS
  • Deploy phishing-resistant MFA
  • Implement application control
  • Restrict admin privileges
  • Harden user applications
  • Configure macro settings
  • Establish tested backups
Phase 2

CMMC Documentation Layer

  • Write System Security Plan (SSP)
  • Create POA&M for all gaps
  • Conduct formal risk assessment
  • Establish IR plan and procedures
  • Deploy security awareness training
  • Document physical access controls
Phase 3

CMMC Process Layer

  • Supply chain risk management
  • Media protection procedures
  • Personnel security procedures
  • Maintenance controls
  • Network segmentation for CUI
  • Continuous monitoring programme
Book a Dual Compliance AssessmentSee How DISPulse Manages Both

Ready to Close the Gap?

Serious Defence specialises in helping Australian companies achieve both DISP membership and CMMC 2.0 readiness through a single, integrated compliance programme. Our DISPulse platform maps your control evidence to both frameworks simultaneously, eliminating duplicate effort and ensuring you are always audit-ready for both DISO and C3PAO assessments.

Book a Free AssessmentRead the AUKUS Compliance Guide