CMMCDocs.comWhen the Department of Defense first announced the Cybersecurity Maturity Model Certification (CMMC) program in 2020, it introduced five maturity levels with 171 practices across 17 domains. The defense industrial base pushed back hard. The framework was too complex, too expensive, and would lock small contractors out of the market.
In November 2021, the DoD responded with CMMC 2.0, a streamlined model that collapsed the original five levels into three. The changes were significant and worth understanding in detail.
The Three Levels
Level 1 (Foundational) covers 17 basic safeguarding practices from FAR 52.204-21. These are fundamental cyber hygiene controls like using antivirus software, limiting system access, and training employees. Level 1 requires only an annual self-assessment, which the contractor submits to the Supplier Performance Risk System (SPRS).
Level 2 (Advanced) maps directly to the 110 security requirements in NIST SP 800-171 Rev 2. This is where most defense contractors handling Controlled Unclassified Information (CUI) will land. Depending on the sensitivity of the CUI, Level 2 may require either a self-assessment or a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO).
Level 3 (Expert) adds requirements from NIST SP 800-172 and targets contractors working with the most sensitive unclassified data. Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
What Changed from CMMC 1.0
The biggest changes were structural. CMMC 2.0 eliminated the unique CMMC practices and processes that sat outside existing NIST standards. By aligning directly with NIST SP 800-171, the DoD removed the guesswork about what each control actually means. It also introduced the concept of Plans of Action and Milestones (POA&Ms), allowing contractors to achieve conditional certification while closing remaining gaps within 180 days.
For small businesses, the most meaningful change was the reintroduction of self-assessment for certain Level 2 contracts. Under CMMC 1.0, every company above Level 1 needed a third-party assessment. CMMC 2.0 reserves third-party assessments for contracts involving prioritized CUI, reducing the financial burden on contractors whose work involves less sensitive information.
What This Means for Your Business
If your contracts reference DFARS 252.204-7012, you almost certainly need Level 2. Review your contracts and identify which ones involve CUI. Start building your System Security Plan (SSP) now, even if assessments have not appeared in your solicitations yet. The rulemaking process is underway, and contractors who wait for the final rule to start preparing will find themselves scrambling.