CMMC 2.0 Compliance Guide
What Federal Contractors Need to Know (and Do) Now
The Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) to strengthen cyber protections in its supply chain. The goal? Ensure contractors are securely managing Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
With CMMC 2.0, the DoD is streamlining the framework to make it more flexible, more enforceable, and easier to align with existing NIST standards. In this CMMC 2.0 compliance guide, we break down what’s changing, how it compares to CMMC 1.0, and what you can do now to prepare.
What Is CMMC?
CMMC is the DoD’s unified standard to verify the cybersecurity posture of its contractors. It determines whether a contractor can handle CUI and FCI and requires formal certification based on the sensitivity of the information handled. This CMMC 2.0 compliance guide will help you understand what changes to expect and when to act.
What’s New in CMMC 2.0?
CMMC 2.0 significantly simplifies the framework while preserving its core intent. Key changes include:
- Reducing the number of maturity levels from five to three
- Allowing some use of POAMs (Plans of Action and Milestones)
- Permitting self-assessments for some contractors
- Aligning fully with NIST SP 800-171 and SP 800-172
- Eliminating CMMC-unique security practices
CMMC 2.0 vs. CMMC 1.0: Level Breakdown
| CMMC 1.0 Level | CMMC 2.0 Equivalent | Description |
|---|---|---|
| Level 1 | Foundational | Basic safeguarding of FCI (aligned with 48 CFR 52.204-21) |
| Level 3 | Advanced | Protection of CUI using all NIST SP 800-171 controls |
| Level 5 | Expert | Protection of CUI from APTs using NIST SP 800-172 subset |
Levels 2 and 4 from CMMC 1.0 have been removed to eliminate ambiguity.
POAMs Are Now Accepted—With Limits
In CMMC 1.0, contractors needed 100% compliance at the time of assessment. With CMMC 2.0, POAMs allow companies to submit plans for how they will close remaining security gaps post-assessment.
- POAMs will be time-bound and limited to specific low-risk requirements
- Not all controls are POAM-eligible
- Final implementation details are still being finalized
This change makes compliance more flexible without reducing security expectations.
Self-Assessments for Level 1 and Some Level 2 Contractors
To reduce assessment costs and lower the barrier to entry:
- Level 1 contractors can complete annual self-assessments
- Some Level 2 contractors may also self-assess, depending on the sensitivity of their CUI
- Level 3 contractors (Expert) will still require a DoD-led assessment
Timeline: When Will CMMC 2.0 Take Effect?
CMMC 2.0 was announced in November 2021 following internal DoD reviews. While an exact rollout date is unknown, the rulemaking process is ongoing. The earliest expected implementation is late 2024 or early 2025, still within the 5-year CMMC 1.0 phase-in period.
What to Do While You Wait
CMMC 2.0 is not yet law, but forward-thinking contractors are already preparing.
Here’s how to get ahead:
- Familiarize yourself with NIST SP 800-171 controls
- Perform internal self-assessments against the appropriate maturity level
- Document POAMs for any control gaps
- Assess supplier risk in your own digital supply chain
- Evaluate tools and workflows for audit readiness
How c1secure Helps You Prepare
At c1secure, we help federal contractors operationalize cybersecurity compliance through automation, readiness frameworks, and ServiceNow implementations.
Our CMMC Maturity Scale Register enables:
- Control tracking across CMMC maturity levels (L1–L5)
- Structured self-assessments
- Preparation for C3PAO audits
- Evidence alignment and reporting for NIST SP 800-171 and 172
To learn more, contact us today!
