Information Technology Navigator

Tips, Advice & Insights from Technology Pros

What’s New in CMMC 2.0

Posted by Steve Caprio

Tue, Feb 15, 2022


The Cybersecurity Maturity Model Certification (CMMC) Framework is used by the DoD to verify that sensitive data being handled by defense industrial base (DIB) contractors is properly protected on the contractors’ systems to avoid risk of a compromise from a cybersecurity attack. CMMC uses third-party assessment organizations to verify contractors’ safeguarding of controlled unclassified information (CUI) including International Traffic in Arms Regulations (ITAR) data, federal contract information (FCI), and compliance with certain mandatory practices, procedures and capabilities that can adapt to evolving cyber threats.

What’s New in CMMC 2.0

In November 2021, the DoD announced CMMC 2.0. It’s important to understand key changes and timelines associated with CMMC 2.0, how it compares to CMMC 1.0, and what you need to do to prepare. 

CMMC 1.0 was initially released in January 2020. Feedback on the Framework was criticized as too complex, rigid and costly to implement. In addition, time to compliance was lengthy (between 12-18 months). The goal of CMMC 2.0 is to reduce complexity and cost, while aligning with cybersecurity requirements and other federal requirements.

Eliminating Levels 2 and 4 from CMMC 1.0, CMMC 2.0 is a more flexible system with a streamlined 3-tier framework compared to the 5-tier framework of CMMC 1.0. Based on NIST controls the three levels are as follows:

  • Level 1: Requires an annual self-assessment and affirmation by company leadership. There are no major changes to Level 1. The same 17 practices, derived from FAR 52.204-21 “basic” controls required for protection of Federal Contract Information must still be in place. 
  • Level 2: Level 2 is based on the “old” CMMC Level 3 and greatly reduces the number of required controls. 20 controls have been eliminated from the original framework’s Level 3, leaving contractors having to implement the 110 controls from NIST 800-171. The DoD will identify “prioritized acquisitions” that must undergo an independent third-party assessment against the new Level 2 requirements. All other organizations will only need to perform a self-assessment and affirmation by company leadership.

  • Level 3: Level 3 replaces CMMC Levels 4 and 5 from the original framework. Level 3 requires government-led assessments. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172 and assessments.

Note: Level 2 of CMMC 2.0 will be equivalent to the NIST SP 800-171 and Level 3 will be equivalent to NIST SP 800-172.

The chart below provides a good overview and comparison of the CMMC 1.0 to 2.0 frameworks.


Mask Group 8

CMMC Key Changes

Committed to CMMC Compliance

Daymark is a member of the North East CMMC Coalition. We are committed to the collaborative work the Coalition is doing to provide training and resources for program implementation training, collaboration, recruitment and compliance assistance for the Defense Industrial Base. We are experienced in enabling DIB organizations to meet strict government and regulatory compliance requirements related to CMMC controls for ITAR, CUI and FCI data.

Now is the Time to Act on CMMC Compliance

CMMC 2.0 requirements may not show up in contracts for several months, but now is clearly the time to act. At a Pentagon briefing in November 2021 shortly after the CMMC 2.0 announcement, Jesse Salazar, deputy assistant secretary of defense for industrial policy, said “My hope is that no company in the [defense industrial base] or in the broader commercial market is waiting for DoD contractual requirements to begin its cyber readiness process. We are encouraging all companies to start to improve their cybersecurity.”

Getting Started with CMMC 2.0

Daymark has the experts able to help you achieve compliance and improve your security in an ever-changing environment filled with persistent threats. Contact us today.