CMMC 2.0: What It Means for Your Business

By Donald DeWitt Jr. • November 16, 2021

Recently a CMMC-AB town hall meeting was held to present and discuss changes to Cybersecurity Maturity Model Certification (CMMC). The new version, called CMMC 2.0, was presented by the Department of Defense (DOD) as well as the CMMC accrediting body. The biggest takeaway from the meeting is that the revision now mirrors NIST 800-171.


With CMMC 1.0, a large percentage of the requirements mapped directly to this NIST standard. Now, CMMC is explicitly defined by NIST 800-171. As the cybersecurity landscape continues to evolve, any additional controls will be directly put into the NIST standard. In clarifying the foundation for this cybersecurity mandate, it will simplify the process by eliminating any previous mapping to other risk management, ISO, or risk maturity model frameworks.

Impact of this change–and why nothing has really changed

While at first glance, it might appear that this shift to have NIST 800-171 provide the foundation of CMMC will have a large impact, it actually changes very little. For one thing, System Security Plans (SSPs) and Plans of Actions and Milestones (POAMs) are still relevant and necessary. Companies should focus on which level of the new standard applies to their business. At this point CMMC 2.0 contains three levels as opposed to the five levels of version 1.0. Here’s how the mapping looks:


CMMC 1.0CMMC 2.0
Level 1Level 1
Level 3Level 2
Level 5Level 3


Right now, reporting requirements for Level One are exactly what they were before. That requirement is a self-assessment on the applicable controls and practices, which companies submit to the government each year. For the new level two, companies will also be performing self-assessments against the requirements of NIST 800-171 and submitting their results into the Supplier Performance Risk System (SPRS).


With the new version, there is no explicit requirement for documentation, policies and procedures, but there is an expected requirement based on NIST 800-171, Appendix M. What that means is contractors should still be mindful of the documentation of their cybersecurity practices.


Your next steps

For now, it is all about aligning yourself with the partner you rely on to help you meet your cybersecurity requirements and gain or maintain your government contract work. Leverage the expertise of those who know what you need to do and focus on your own core competence.


Stay informed–and know that NIST 800-171 remains the cybersecurity law of the land. CMMC 2.0 is the future, but NIST 800-171 is not expected to go away and looks to provide a foundation for the revised CMMC standard. If you have any questions on how to proceed, contact us. We would be happy to share our insight and apply best practices to help your business attain your cybersecurity goals.


CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft