CMMC 2.0: What It Means for Your Business

By Donald DeWitt Jr. • November 16, 2021

Recently a CMMC-AB town hall meeting was held to present and discuss changes to Cybersecurity Maturity Model Certification (CMMC). The new version, called CMMC 2.0, was presented by the Department of Defense (DOD) as well as the CMMC accrediting body. The biggest takeaway from the meeting is that the revision now mirrors NIST 800-171.


With CMMC 1.0, a large percentage of the requirements mapped directly to this NIST standard. Now, CMMC is explicitly defined by NIST 800-171. As the cybersecurity landscape continues to evolve, any additional controls will be directly put into the NIST standard. In clarifying the foundation for this cybersecurity mandate, it will simplify the process by eliminating any previous mapping to other risk management, ISO, or risk maturity model frameworks.

Impact of this change–and why nothing has really changed

While at first glance, it might appear that this shift to have NIST 800-171 provide the foundation of CMMC will have a large impact, it actually changes very little. For one thing, System Security Plans (SSPs) and Plans of Actions and Milestones (POAMs) are still relevant and necessary. Companies should focus on which level of the new standard applies to their business. At this point CMMC 2.0 contains three levels as opposed to the five levels of version 1.0. Here’s how the mapping looks:


CMMC 1.0CMMC 2.0
Level 1Level 1
Level 3Level 2
Level 5Level 3


Right now, reporting requirements for Level One are exactly what they were before. That requirement is a self-assessment on the applicable controls and practices, which companies submit to the government each year. For the new level two, companies will also be performing self-assessments against the requirements of NIST 800-171 and submitting their results into the Supplier Performance Risk System (SPRS).


With the new version, there is no explicit requirement for documentation, policies and procedures, but there is an expected requirement based on NIST 800-171, Appendix M. What that means is contractors should still be mindful of the documentation of their cybersecurity practices.


Your next steps

For now, it is all about aligning yourself with the partner you rely on to help you meet your cybersecurity requirements and gain or maintain your government contract work. Leverage the expertise of those who know what you need to do and focus on your own core competence.


Stay informed–and know that NIST 800-171 remains the cybersecurity law of the land. CMMC 2.0 is the future, but NIST 800-171 is not expected to go away and looks to provide a foundation for the revised CMMC standard. If you have any questions on how to proceed, contact us. We would be happy to share our insight and apply best practices to help your business attain your cybersecurity goals.


CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO