Goodbye CMMC 1.0, Hello CMMC 2.0

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Goodbye CMMC 1.0, Hello CMMC 2.0

Last week, the Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. The nascent cybersecurity compliance program came under criticism from the defense industrial base (DIB) because of its extensive requirements and onerous penalties.

The program changes come as a result of an extensive internal review which was prompted by over 850 public comments regarding the CMMC during the public comment period in the Fall of 2020 in addition to concerns raised by Congress.

The CMMC Accreditation Body (AB) held a Townhall this week to discuss how the changes will impact the process of certifying assessors, training requirements, and more. This Townhall featured Deputy Assistant Secretary of Defense Jesse A. Salazar, Deputy DoD Chief Information Officer for Cybersecurity David McKeown, and Buddy Dees of the CMMC Program Management Office. They reinforced much of the new information that is available on the CMMC website.

A key driver for the change, they said, was to fully align the CMMC with National Institute of Standards and Technology (NIST) cybersecurity standards, to ease the process of expanding the program across the government. Though not an official announcement, it does portend the expansion of the program outside of DoD.

Summary of CMMC Program Changes

CMMC 1.0CMMC 2.0
Maturity Levels5 Levels3 Levels
Process Maturity Requirements (Policies and Procedures)RequiredNot Required
Level 1 Requirements17 Practices
0 Process Maturity
17 Practices
0 Process Maturity
Level 1 AssessmentsTriannual Third PartyAnnual self-assessment
Level 2 Requirements
(formerly Level 3)
130 Requirements
3 Process Maturity
110 Requirements (NIST SP 800-171)
0 Process Maturity
Level 2 AssessmentsTriannual Third PartyTriannual Third Party
Annual self-assessments
Level 3 Requirements
(formerly Level 5)
171 practices
5 Process Maturity
110 Requirements.
+ Addtl reqs from NIST SP 800-172
Level 3 AssessmentsTriannual Third PartyTriannual Government-led assessments

CMMC 2.0 Scoring System

CMMC 1.0 is officially over. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Over the next few weeks, an updated CMMC Assessment Guide for Levels 1 and 2 should be posted to the Department’s website. Additionally, CMMC 1.0 was essentially a 100% pass/fail assessment. Organizations had to pass all the practice and process maturity requirements to pass an assessment. CMMC 2.0 moves to a scoring system, most likely similar to the scoring process for NIST SP 800-171. However, certain, high-risk practices still cannot fail in a passing assessment. Organizations will be allowed to document plans of actions and milestones (POA&Ms) for other practices that do not pass, and DoD will establish a minimum score for passing assessments.

Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors. Questions? Contact us: Email | 804.747.0000

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us