Skip to content


CMMC and CMMC 2.0 Explained

By: Dataprise

What is CMMC 2.0

Table of content

CMMC refers to the Cybersecurity Maturity Model Certification, a program created for federal contracts by the Department of Defense (DoD). Designed to protect sensitive information, the requirements have recently been revamped to a 2.0 version. Learn more about what this means for contractors and why it’s so important to get ahead of this certification.

What is CMMC?

CMMC is meant to assure the DoD that the security controls and protocols of federal contractors are sufficient to keep data, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), under the proverbial lock and key. The level an organization needs to meet will depend on its access to sensitive data.

The original CMMC featured five security levels for cyber hygiene:

  • Basic cyber hygiene: Follow safeguarding requirements in the Federal Acquisition Regulations (FAR).
  • Intermediate cyber hygiene: Meet 65 requirements in the NIST 800-171.
  • Good cyber hygiene
  • Proactive cyber hygiene
  • Advanced cyber hygiene

The last three levels require complete compliance with NIST 800-171 plus additional bespoke practices and processes depending on the organization in question.

The Evolution of CMMC

CMMC was introduced as an update to the cybersecurity regulations in the Defense Federal Acquisition Regulations Supplement (DFARS). The original rules were published as an interim but required that most defense contractors and subcontractors would be certified by 2025 by a third party. After the Biden Administration conducted a review of the requirements, the government came out with version 2.0.

CMMC 2.0 has simplified the original five levels into three levels. It continues to allow for self-assessment with Level 1 and part of a divided Level 2. All other parties will need third-party certification. Contractors who handle CUI will also need to comply with the Defense Federal Acquisition Regulations Supplement (DFARS), a provision that lays out the general policies of the DoD and the relevant legal requirements for contractors.

What is the goal of CMMC 2.0?

CMMC 2.0 was created after Defense Industrial Base (DIB) companies expressed concerns about confusing rules and a corresponding lack of compliance. The certification requirements also posed a threat to small businesses, which led to a reduction in potential contractors for the DoD to choose. For instance, a third-party certification is now no longer needed on Level 1, which may make it easier for leaders to satisfy regulations without impacting operations.

The Three Levels of CMMC 2.0

The new levels of CMMC 2.0 are:

  • Level 1: The main change is that company leaders are allowed to certify compliance on an annual basis.
  • Level 2: Companies must maintain NIST 800-171 compliance, though some of the other compliance measures have been eliminated. In addition, some contractors may be able to self-assess depending on the circumstances.
  • Level 3: Requires full compliance with 800-171 and at least some compliance with 800-172. Certification by a third party is required.

Who needs CMMC certification? As you might be able to tell from the description of Level 2, this question still seems up for debate.

How Can You Prepare for CMMC 2.0?

If you’re concerned about CMMC compliance, we highly encourage you to get ahead of this requirement. The projected estimate is that CMMC 2.0 will go live anywhere from 9 months to 2 years from now, but there’s no reason to wait until the last minute.

While the new rules are designed to simplify things in theory, the actual dividing lines in terms of levels and self-assessments are anything but straightforward. Plus, even if you are solidly at Level 1, it can be a good idea to have a third party take a look at the efficacy of your security. In other words, getting certified now can be the best move you ever made. Want to know if your DoD cybersecurity program is following all the best practices? Take our cyber hygiene quiz to learn more.

Dataprise for Your Information Security Needs

Dataprise offers a full suite of managed cybersecurity and data protection services that allow your business to reach cyber maturity quickly. Our cyber program management incorporates your company’s structure, mission, and goals so that we can align our cyber program to reduce risks and investment impact. With a myriad of the top security certifications, our experienced technicians will ensure your vital data and networks are protected. Our cyber hygiene management program includes a cyber security model assessment, firewall audits, regulatory compliance assessments, automated reporting, and much more. Contact us today to learn more about our cyber program management.

Watch "CMMC 2.0 Myths Busted".

Recent Tweets


Want the latest IT insights?

Subscribe to our blog to learn about the latest IT trends and technology best practices.