CMMC 2.0: The Effect on Assessments

By Eric Noonan • December 15, 2021

As the discussions around the impact of the newly announced CMMC 2.0 continue to swirl, we are here to apply our knowledge to our analysis of the news. In our series of blogs on the topic, we started by discussing the context and impact for the update.

Our next topic as we highlight some of the proposed changes in CMMC 2.0, is how assessments would be impacted in the proposed 2.0 revision. Let’s examine what we know for each of the new levels as defined by the revision.

  • Level One: The assessment requirement for CMMC 2.0 Level One is the same requirement that existed already. Keep in mind that many people probably have Level One CMMC compliance on their home computers, so it’s not a very high bar to clear. 
  • Level Two: Depending on the type of information involved in your business with the DoD, Level Two requires either a third-party assessment or a self-assessment. Companies can self-assess and then have a senior company official affirm their compliance and enter the self-assessment results into the Supplier Performance Risk System (SPRS). This is not a material change from CMMC 1.0. The fact of the matter is your company is still responsible for implementing and maintaining proper cybersecurity practices. 
  • Level Three: This level requires a government assessment. Again, there is no impact. In CMMC 1.0, these programs were evaluated on a case-by-case and contract-by-contract basis and that will continue to be the case in the proposed revision.


Summary of Impact on Assessments


CMMC 2.0, Level 1 (Foundational)Self assessmentNo impact – same as existing requirements
CMMC 2.0, Level 2 (Advanced) Third party assessment required for prioritized acquisitionsNo impact – same as existing requirements
Self assessment and affirmationImpact unknown – aligned with existing requirements
CMMC 2.0, Level 3 (Expert)Government Assessment No impact


As you can see, the impact on assessments is minimal, the real takeaway is that you still need one! Either complete an assessment internally or bring on a third-party but an assessment is a “must have”.  If you have any questions on how your organization should proceed in determining the current state of your cybersecurity, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.


Next Steps

For practical, actionable next steps around CMMC 2.0 attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.

CMMC 2.0 Webinar Registration

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO