CMMC 2.0: The Effect on Assessments

By Eric Noonan • December 15, 2021

As the discussions around the impact of the newly announced CMMC 2.0 continue to swirl, we are here to apply our knowledge to our analysis of the news. In our series of blogs on the topic, we started by discussing the context and impact for the update.

Our next topic as we highlight some of the proposed changes in CMMC 2.0, is how assessments would be impacted in the proposed 2.0 revision. Let’s examine what we know for each of the new levels as defined by the revision.

  • Level One: The assessment requirement for CMMC 2.0 Level One is the same requirement that existed already. Keep in mind that many people probably have Level One CMMC compliance on their home computers, so it’s not a very high bar to clear. 
  • Level Two: Depending on the type of information involved in your business with the DoD, Level Two requires either a third-party assessment or a self-assessment. Companies can self-assess and then have a senior company official affirm their compliance and enter the self-assessment results into the Supplier Performance Risk System (SPRS). This is not a material change from CMMC 1.0. The fact of the matter is your company is still responsible for implementing and maintaining proper cybersecurity practices. 
  • Level Three: This level requires a government assessment. Again, there is no impact. In CMMC 1.0, these programs were evaluated on a case-by-case and contract-by-contract basis and that will continue to be the case in the proposed revision.


Summary of Impact on Assessments


CMMC 2.0, Level 1 (Foundational)Self assessmentNo impact – same as existing requirements
CMMC 2.0, Level 2 (Advanced) Third party assessment required for prioritized acquisitionsNo impact – same as existing requirements
Self assessment and affirmationImpact unknown – aligned with existing requirements
CMMC 2.0, Level 3 (Expert)Government Assessment No impact


As you can see, the impact on assessments is minimal, the real takeaway is that you still need one! Either complete an assessment internally or bring on a third-party but an assessment is a “must have”.  If you have any questions on how your organization should proceed in determining the current state of your cybersecurity, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.


Next Steps

For practical, actionable next steps around CMMC 2.0 attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.

CMMC 2.0 Webinar Registration

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO