CMMC 2.0: What Changed and What to Do Now

CMMC 2.0 vs. 1.0: What Actually Changed

The Cybersecurity Maturity Model Certification (CMMC) program has undergone a significant overhaul since its original release. If you were tracking CMMC 1.0, much of what you learned has changed. Understanding the differences is critical for defense contractors planning their compliance strategy.

The Shift from Five Levels to Three

CMMC 1.0 defined five maturity levels, each with an increasing number of practices and processes. CMMC 2.0 collapsed this into three levels:

• Level 1 (Foundational): 15 practices derived from FAR 52.204-21. Protects Federal Contract Information (FCI). Self-assessment only.
• Level 2 (Advanced): 110 practices aligned with NIST SP 800-171 Rev 2. Protects Controlled Unclassified Information (CUI). Requires third-party assessment for most contracts, with self-assessment allowed for select non-critical programs.
• Level 3 (Expert): 134 practices based on a subset of NIST SP 800-172. Protects CUI in the highest-priority programs. Requires government-led assessment (DIBCAC).

The elimination of Levels 2 and 4 from the original model removed the "transition" levels that had no direct mapping to established frameworks. The result is a cleaner, more predictable structure anchored to existing NIST standards.

Self-Assessment Returns (for Level 1)

One of the biggest changes: Level 1 no longer requires a third-party assessment. Contractors handling only FCI can perform an annual self-assessment and submit an affirmation to the Supplier Performance Risk System (SPRS). This significantly reduces the compliance burden for smaller contractors who do not handle CUI.

Plans of Action and Milestones (POA&Ms) Are Now Allowed

CMMC 1.0 required all practices to be fully implemented at assessment time. CMMC 2.0 allows POA&Ms for certain practices, giving contractors a defined window (generally 180 days) to close specific gaps after assessment. However, POA&Ms are not available for all practices; there is a subset of critical controls that must be fully implemented at the time of assessment.

Cost and Complexity Reduction

By aligning directly with NIST 800-171 (Level 2) and NIST 800-172 (Level 3), CMMC 2.0 eliminated the unique practices that existed only in the CMMC framework. This means organizations already pursuing NIST 800-171 compliance have a direct path to CMMC Level 2 without adopting an entirely new control set.

The Final Rule Timeline

Understanding the regulatory timeline helps you plan your compliance roadmap with precision.

• September 2020: CMMC 1.0 interim rule published
• November 2021: DoD announced CMMC 2.0 restructuring
• December 2023: CMMC 2.0 proposed rule published in the Federal Register (32 CFR Part 170)
• October 15, 2024: Final rule published
• December 16, 2024: Final rule effective date
• 2025 onward: Phased rollout in DoD contracts (CMMC requirements appearing in solicitations incrementally over four phases)

The phased implementation means not every contract will require CMMC certification immediately. However, the trajectory is clear: CMMC requirements will appear in an expanding set of solicitations through 2026 and beyond. Waiting until your specific contract requires it is a high-risk strategy.

Level 1 vs. Level 2 vs. Level 3: Who Needs What

Your required CMMC level depends on the type of information you handle and the contracts you pursue.

Level 1: FCI Only

If your contracts involve Federal Contract Information but not CUI, Level 1 applies. FCI is information provided by or generated for the government under contract that is not intended for public release. Many subcontractors and suppliers fall into this category.

• Practices: 15 (from FAR 52.204-21)
• Assessment: Annual self-assessment with SPRS affirmation
• Typical contractors: Small suppliers, logistics companies, facilities maintenance, non-technical subcontractors

Level 2: CUI

If your contracts involve Controlled Unclassified Information, Level 2 applies. CUI includes technical data, export-controlled information, proprietary military specifications, and other sensitive but unclassified data.

• Practices: 110 (from NIST SP 800-171 Rev 2)
• Assessment: Third-party assessment by an authorized C3PAO for most contracts; self-assessment permitted for select non-critical programs
• Typical contractors: Engineering firms, IT service providers, manufacturers with technical data, R&D partners

Level 3: High-Value CUI

Level 3 applies to contractors supporting the most sensitive DoD programs. The specific contracts requiring Level 3 are determined by the DoD on a case-by-case basis.

• Practices: 134 (NIST SP 800-171 Rev 2 + select NIST SP 800-172 enhancements)
• Assessment: Government-led assessment (DIBCAC)
• Typical contractors: Major defense primes on critical programs, classified-adjacent work, advanced weapons systems

NIST 800-171 Rev 3: What It Means for CMMC

NIST released Revision 3 of SP 800-171 in May 2024. This revision restructured the control families, updated practice language, and added new requirements. However, the CMMC 2.0 final rule references NIST 800-171 Revision 2, not Revision 3.

This creates a transitional period. The DoD has indicated that CMMC will eventually align with Rev 3, but for now, contractors should focus on Rev 2 compliance for CMMC purposes. That said, forward-thinking organizations should review Rev 3 changes and begin incorporating applicable updates, since:

• Rev 3 alignment will likely be required in a future CMMC update
• Many Rev 3 changes represent security best practices regardless of compliance requirements
• Starting the gap analysis now avoids a compressed timeline later

Track framework updates and their impact through our Regulatory Radar, which monitors NIST, DoD, and CMMC-AB announcements.

The C3PAO Assessment Process

For Level 2 contractors requiring third-party assessment, understanding the C3PAO process is essential for planning.

What Is a C3PAO?

A CMMC Third-Party Assessor Organization (C3PAO) is an organization authorized by the CMMC Accreditation Body (the Cyber AB) to conduct Level 2 assessments. C3PAOs employ certified CMMC assessors who evaluate your implementation of the 110 NIST 800-171 practices.

The Assessment Flow

1. Pre-assessment preparation: Your organization completes its System Security Plan (SSP), implements all required practices, and compiles evidence. This is where most of the work happens.

2. C3PAO selection: You select and contract with an authorized C3PAO from the Cyber AB marketplace. Start this process early; assessor availability is limited and booking windows can extend several months.

3. Assessment planning: The C3PAO reviews your SSP and scoping documentation, identifies assessment team members, and schedules the on-site or virtual assessment.

4. Assessment execution: Assessors examine evidence, interview personnel, observe processes, and test controls against each of the 110 practices. Duration varies by scope but typically runs 1 to 2 weeks of active assessment.

5. Findings and POA&Ms: If gaps are identified, the assessor determines whether they qualify for POA&M treatment or represent assessment failures. You receive a detailed findings report.

6. Certification decision: If you meet the threshold (all practices met or qualifying POA&Ms in place), you receive a CMMC Level 2 certification valid for three years.

Cost Expectations

C3PAO assessment fees for Level 2 typically range from $50,000 to $150,000 depending on the size and complexity of your environment. This does not include the readiness and remediation work required before the assessment, which often represents the larger investment.

SSP Requirements and How to Prepare

The System Security Plan is the backbone of your CMMC assessment. It documents how your organization implements each required practice and defines the boundaries of your assessment scope.

What the SSP Must Include

• System boundary definition (which systems, networks, and facilities are in scope)
• Description of how each NIST 800-171 practice is implemented
• Roles and responsibilities for security functions
• Network architecture diagrams
• Data flow diagrams showing how CUI enters, moves through, and exits your environment
• Interconnection details for external systems
• POA&M items for practices not yet fully implemented

Practical SSP Tips

• Start with scoping. A well-defined system boundary reduces the number of systems you need to secure and document. CUI enclaves, segmented networks, and managed service providers can all reduce your in-scope footprint.
• Use NIST templates. NIST provides SSP templates aligned with 800-171. Do not reinvent the format. Our compliance templates library includes SSP templates tailored for CMMC.
• Document as you implement. Writing the SSP after implementation is painful and error-prone. Document each practice as you implement it, while the details are fresh.
• Review quarterly. Your SSP is a living document. Systems change, personnel rotate, and configurations drift. Quarterly reviews keep the SSP accurate and reduce pre-assessment scramble.

Timeline for Phased Implementation

The DoD is rolling CMMC requirements into contracts across four phases:

Phase 1 (Starting December 2024)

Self-assessment requirements begin appearing in applicable solicitations. Contractors must complete Level 1 or Level 2 self-assessments (where permitted) and submit SPRS scores.

Phase 2 (Starting One Year After Phase 1)

Third-party Level 2 (C3PAO) assessments begin appearing as requirements in solicitations. This is when the rubber meets the road for most CUI-handling contractors.

Phase 3 (Starting One Year After Phase 2)

Level 3 assessment requirements begin appearing in applicable solicitations for the most sensitive programs.

Phase 4 (Full Implementation)

CMMC requirements are included in all applicable DoD solicitations and contracts, including option periods.

What This Means for Your Planning

If you handle CUI and expect to bid on DoD contracts through 2026 and beyond, you should be in active preparation now. The assessment backlog is real: there are a limited number of authorized C3PAOs and certified assessors relative to the number of contractors that will need assessments. Early movers will have their pick of assessors and timelines; late movers will face scheduling delays that could affect contract eligibility. If you lack dedicated security leadership to drive this effort, a virtual CISO engagement can provide the expertise needed to manage the process.

What to Do Right Now

Regardless of where you are in your CMMC journey, these steps will move you forward.

1. Determine Your Required Level

Review your current and anticipated DoD contracts. Identify whether you handle FCI only (Level 1) or CUI (Level 2). If you are unsure, your contracting officer can clarify.

2. Conduct a Gap Assessment

Map your current security posture against the applicable NIST 800-171 practices. Identify what you have, what you partially have, and what is missing entirely. This gap assessment drives your entire remediation plan. A penetration test can also help validate your technical controls and identify weaknesses that a documentation review alone might miss.

3. Build Your SSP

If you do not have a System Security Plan, start one now. If you have one, review it for accuracy. Use templates from our compliance templates library to accelerate the process.

4. Remediate Gaps Systematically

Prioritize remediation by criticality (practices that cannot use POA&Ms must be implemented first), effort level, and dependency chain. Some practices depend on others; implement foundational controls before dependent ones.

5. Submit Your SPRS Score

If you have not already submitted a self-assessment score to SPRS, do so. Even if your score is not perfect, having a score on record is better than having none, and it establishes your baseline.

6. Engage a C3PAO Early

If you need a third-party assessment, start the C3PAO selection process 6 to 9 months before you need certification. Assessment scheduling is competitive and lead times are growing.

Conclusion

CMMC 2.0 is no longer a future requirement; it is current policy with contracts already incorporating its provisions. The streamlined three-level model is more predictable than its predecessor, but the compliance lift for Level 2 contractors remains substantial.

The organizations that start now will have a competitive advantage in the defense contracting market. Those that wait risk being locked out of solicitations when their contracts come up for renewal or recompete.

Explore our CMMC compliance service for a structured path from gap assessment through certification, check the Regulatory Radar for the latest CMMC developments, or reach out directly to discuss your timeline and requirements.

---

Related Reading

• Penetration Testing Beyond Compliance
• The Virtual CISO Guide
• Building a Vendor Risk Management Program

---

Need help preparing for your CMMC assessment? Schedule a free consultation with our defense compliance specialists to map out your path to certification.