CMMC 2.0: What It Means for Your Business

By Donald DeWitt Jr. • November 16, 2021

Recently a CMMC-AB town hall meeting was held to present and discuss changes to Cybersecurity Maturity Model Certification (CMMC). The new version, called CMMC 2.0, was presented by the Department of Defense (DOD) as well as the CMMC accrediting body. The biggest takeaway from the meeting is that the revision now mirrors NIST 800-171.


With CMMC 1.0, a large percentage of the requirements mapped directly to this NIST standard. Now, CMMC is explicitly defined by NIST 800-171. As the cybersecurity landscape continues to evolve, any additional controls will be directly put into the NIST standard. In clarifying the foundation for this cybersecurity mandate, it will simplify the process by eliminating any previous mapping to other risk management, ISO, or risk maturity model frameworks.

Impact of this change–and why nothing has really changed

While at first glance, it might appear that this shift to have NIST 800-171 provide the foundation of CMMC will have a large impact, it actually changes very little. For one thing, System Security Plans (SSPs) and Plans of Actions and Milestones (POAMs) are still relevant and necessary. Companies should focus on which level of the new standard applies to their business. At this point CMMC 2.0 contains three levels as opposed to the five levels of version 1.0. Here’s how the mapping looks:


CMMC 1.0CMMC 2.0
Level 1Level 1
Level 3Level 2
Level 5Level 3


Right now, reporting requirements for Level One are exactly what they were before. That requirement is a self-assessment on the applicable controls and practices, which companies submit to the government each year. For the new level two, companies will also be performing self-assessments against the requirements of NIST 800-171 and submitting their results into the Supplier Performance Risk System (SPRS).


With the new version, there is no explicit requirement for documentation, policies and procedures, but there is an expected requirement based on NIST 800-171, Appendix M. What that means is contractors should still be mindful of the documentation of their cybersecurity practices.


Your next steps

For now, it is all about aligning yourself with the partner you rely on to help you meet your cybersecurity requirements and gain or maintain your government contract work. Leverage the expertise of those who know what you need to do and focus on your own core competence.


Stay informed–and know that NIST 800-171 remains the cybersecurity law of the land. CMMC 2.0 is the future, but NIST 800-171 is not expected to go away and looks to provide a foundation for the revised CMMC standard. If you have any questions on how to proceed, contact us. We would be happy to share our insight and apply best practices to help your business attain your cybersecurity goals.


CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO