CMMC 2.0: A New Federal Standard

The US Department of Defense (DoD) knows cyber security is critical. DoD contractors are a major target of frequent, complex attacks. In 2020, the DoD started the Cybersecurity Maturity Model Certification (CMMC) program. This sought to combat threats and protect data with rules, training, and assessments. In March 2021, the DoD reviewed and refined CMMC based on public comments. It then announced CMMC 2.0 that November. 

CMMC 2.0 

The original CMMC concept had five distinct levels. Each required its own practices and maturity processes. The updated version cuts out Levels 2 and 4, streamlining the basic structure. It also appears to remove maturity processes entirely. CMMC 2.0 is simpler and more flexible than the first version, but with the same goals in mind. It allows waivers under certain conditions, as well as limited Plans of Action and Milestones (POAMs). This makes certification easier and faster in some cases. CMMC 2.0 also allows Level 1 and some Level 2 companies to conduct self-assessments rather than third-party reviews. This serves to reduce the cost of compliance. 

CMMC Levels 

The new model features key changes to the first program. It focuses on the most critical requirements while cutting down on costs. CMMC 2.0 is efficient and flexible, but still ensures a high degree of cyber security at every level. 

Level 1: Foundational 

All levels build on this solid foundation. The first level applies to companies that store, handle, or process FCI. Level 1 requires 17 basics of good cyber hygiene. These include access control, system integrity, and physical protections. At this level, the DoD allows companies to self-assess their compliance with these standards. 

Level 2: Advanced 

Companies that deal with CUI fall into this group. Level 2 requires 110 practices aligned with NIST SP 800-171 controls. These include audits, risk management, cyber security training, incident response plans, and risk management. If contractors handle data critical to national security, the DoD requires third-party assessments every 3 years. If not, they’re allowed to self-assess each year. 

Level 3: Expert 

The final CMMC level applies to companies at risk of Advanced Persistent Threats (APTs). It’s designed for those working on the DoD’s most critical programs. DoD data shows that Level 3 demands involve NIST SP 800-171 and NIST SP 800-172 controls. Government-led assessments are required every 3 years to ensure compliance. 

CMMC Compliance 

Companies that fall into any of these groups must comply once the new model goes into effect. However, CMMC 2.0 is not a requirement until the rulemaking process becomes law. This process takes anywhere from 9-24 months to complete. Contractors should work to meet NIST 800-171 in the meantime, as they take many months to complete. First, decide if your company works with FCI or CUI. If it adhered to CMMC levels in the past, chances are you fall within the new model. We recommend compliance for all state and city level entities, and it’s needed at the federal level.  

Savant Solutions Can Help 

CMMC is a major cyber security standard for all government entities to follow. It works to protect the national security of local, state, and federal data. This is critical since attacks are on the rise across the country. Contractors cannot afford a data breach because the data they handle is dangerous in the hands of criminals. We understand the threat posed by this risk, which is why we take CMMC seriously. Our team is well-versed in the requirements of all CMMC levels. In fact, one of our own professional auditors helped write the CMMC standard.  


If you’re a government contractor, engaged with FCI or CUI, or have questions, please contact us today. CMMC standards can be confusing at first glance, but our experts will simplify the certification process. Don’t delay—the DoD plans to strictly enforce this code soon. We’d be happy to help you with CMMC compliance. 

Leave a Comment

You must be logged in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.