DoD U-Turns: Changes Strategic Direction of CMMC Program – Security

To print this article, all you need to do is be registered or log in to

After completing an internal evaluation of the program, the Department of Defense (“DoD”) announced a dramatic change in the strategic direction of its Cybersecurity Maturity Model (“CMMC”) certification program. The DoD originally released CMMC 1.0 in January 2020, intending to roll it out from 2021 through 2025 and, by 2026, for all defense contracts to incorporate the stringent requirements of CMMC 1.0. However, CMMC implementation is now discontinued and the DoD is working on finalizing an enhanced CMMC program called CMMC 2.0. The DoD emphasized that CMMC 2.0 will maintain the program’s original goal of protecting sensitive information, but it will also minimize barriers to compliance with DoD requirements, simplify the CMMC standard, reduce assessment costs, create a culture more collaborative cybersecurity and will provide for a more flexible implementation.

Application and schedule

Like CMMC 1.0, the revamped requirements of CMMC 2.0 will apply to both prime contractors and subcontractors. The changes described below will be implemented through the formal rulemaking process, which can take anywhere from 9 to 24 months. As a result, the earliest the DoD expects to implement CMMC 2.0 is August 2022. Until the rulemaking process is complete, the DoD is suspending its CMMC piloting efforts and will only include CMMC requirements in any contract. Nonetheless, the DOD has announced that it could potentially offer incentives to contractors who voluntarily obtain CMMC certification while the rulemaking process is underway. The DoD also encourages contractors to continue updating and improving their cybersecurity practices and systems in the interim.

Key changes

Reduction in certification levels

Unlike the previous framework (discussed in our previous alert here), CMMC 2.0 reduces the total number of certification levels from five to three. Notably, CMMC 2.0 eliminates levels 2 and 4 and renames the surviving levels as follows: (1) Level 1, Fundamental; (2) Level 2, Advanced; and (3) level 3, expert. CMMC 2.0 cybersecurity standards are derived from National Institute of Standards and Technology (NIST SP) Special Publication 800-171 and NIST SP 800-172, which should provide a smoother transition for contractors, including many may already conform to these standards. .


Additionally, CMMC 2.0 removes the requirement that all certification assessments must be performed by third-party organizations, known as CMMC Third-Party Assessment Organizations (“C3PAO”). Instead, the updated framework allows for annual self-assessment for all Tier 1 contractors and Tier 2 contractors, provided that the contractor does not manage “critical information about the national security”. Otherwise, CMMC 2.0 requires a C3PAO assessment every three years for Tier 2 contractors and a government (rather than C3PAO) assessment every three years for Tier 3 contractors.


Additionally, while CMMC 1.0 required contractors to obtain full certification to even submit a defense contract proposal, CMMC 2.0 allows contractors who are not yet fully compliant with applicable cybersecurity requirements to receive contract awards. they implement an action plan. & Milestones (“POAM”). POAMs must provide steps to achieve compliance within a certain timeframe specified by the DoD. The DoD is currently considering a period of 180 days from contract award for contractors to meet the measures set out in their plans.


Finally, CMMC 2.0 allows limited waivers of CMMC requirements for certain critical acquisitions. Although details have not been finalized, the DoD has announced that these waivers will be temporary and must be approved by DoD senior management.

As the CMMC rulemaking process continues to unfold, government contractors should continue to monitor and improve their cybersecurity posture in preparation for CMMC 2.0.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


Cryptocurrency in 401(k) plans (podcast)

Williams Mullen

In this episode of Williams Mullen’s Benefits Companion, host Brydon DeWitt is joined again by Beryl Ball, Senior Financial Advisor at CAPTRUST, who provides insight into recent…

Taxation of cryptocurrency and similar transactions

Snell and Wilmer

Whether you are an investor expanding your portfolio to include digital assets such as cryptocurrencies and tokens, a business that uses cryptocurrencies to conduct daily transactions…

Ryan H. Bowman