Why the Shift from CMMC 1.0 to CMMC 2.0 Matters for Defense Contractors
When the Department of Defense first introduced the Cybersecurity Maturity Model Certification in 2020, it represented the most significant overhaul of defense contractor cybersecurity requirements in a generation. Then, just over a year later, the DoD announced a major revision. CMMC 2.0 was not a cosmetic update. It fundamentally restructured how certification works, who must comply, and how compliance is verified. If your organization is working toward CMMC, CUI, and DFARS compliance, understanding exactly what changed — and why it matters — is essential before your next contract award.
This post provides a direct, practical comparison of CMMC 1.0 and CMMC 2.0, covering structural changes, level requirements, assessment obligations, and the operational impact on defense contractors of every size.
Structure: From Five Levels to Three
One of the most immediately visible differences between the two versions is the number of certification levels.
CMMC 1.0: Five Maturity Levels
The original framework used five progressive levels, each building on the last:
- Level 1 — Basic Cyber Hygiene: 17 practices drawn from FAR 52.204-21.
- Level 2 — Intermediate Cyber Hygiene: 72 practices, a transitional tier between basic and good hygiene.
- Level 3 — Good Cyber Hygiene: 130 practices, aligned primarily with NIST SP 800-171.
- Level 4 — Proactive: 156 practices, incorporating a subset of NIST SP 800-172 controls.
- Level 5 — Advanced/Progressive: 171 practices, representing the highest level of sophistication.
CMMC 2.0: Three Streamlined Levels
CMMC 2.0 eliminated Levels 2 and 4, consolidating the framework into three tiers:
- Level 1 — Foundational: 17 practices, identical to the original Level 1, focused on Federal Contract Information (FCI).
- Level 2 — Advanced: 110 practices, fully aligned with all 110 controls in NIST SP 800-171. This is where the majority of defense contractors will land.
- Level 3 — Expert: 110+ practices, building on NIST SP 800-171 with additional controls from NIST SP 800-172, reserved for contractors working on the most critical programs.
The removal of the intermediate tiers was intentional. It reduced ambiguity and forced cleaner alignment with established NIST standards that contractors were already expected to meet under DFARS 252.204-7012. If you want a deeper look at what each tier demands, our breakdowns of CMMC 2.0 Level 1, CMMC 2.0 Level 2, and CMMC 2.0 Level 3 cover each in detail.
Assessment and Certification: Who Verifies Your Compliance
This is where CMMC 2.0 made changes that have the most direct operational impact on contractors.
CMMC 1.0: Third-Party Assessment Required Across All Levels
Under the original model, all five levels required assessment by an accredited third-party assessment organization (C3PAO). There were no self-assessment pathways. Every contractor, regardless of size or the sensitivity of the data handled, was required to go through the same external certification process. For small and mid-sized defense contractors, this created serious cost and timeline concerns even before the rule was fully implemented.
CMMC 2.0: A Tiered Assessment Approach
CMMC 2.0 introduced differentiated assessment requirements based on level:
- Level 1: Annual self-assessment with an annual affirmation by a senior company official submitted to the Supplier Performance Risk System (SPRS).
- Level 2: The majority of Level 2 contractors require a triennial third-party assessment by a C3PAO. However, a subset of Level 2 contractors handling less sensitive CUI may qualify for annual self-assessment, subject to DoD determination.
- Level 3: Government-led assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
This tiered approach meaningfully reduces burden on contractors with lower-risk profiles while maintaining rigorous oversight where it matters most. That said, if your organization is at Level 2 and assuming you qualify for self-assessment, verify that assumption carefully with legal and compliance counsel before your next contract cycle.
Alignment with NIST Standards
CMMC 1.0 introduced its own unique practices and maturity processes that, while traceable to NIST, were not a one-to-one mapping. This created confusion, particularly around how existing NIST SP 800-171 compliance efforts translated to CMMC readiness.
CMMC 2.0 corrected this by eliminating the unique CMMC-specific practices and maturity processes entirely at Levels 1 and 2. Level 2 is now a direct, unambiguous implementation of all 110 controls from NIST SP 800-171. Level 3 extends into NIST SP 800-172. This means your existing System Security Plan (SSP) and Plan of Action and Milestones (POA&M) work under DFARS 252.204-7012 forms the foundation of your CMMC 2.0 readiness. Contractors who have already made progress toward NIST SP 800-171 compliance are building directly toward CMMC 2.0 certification.
Plans of Action and Milestones: A Critical Policy Shift
Under CMMC 1.0, there was essentially no POA&M pathway. You either met the requirements or you did not earn the certification. This created a binary outcome that penalized contractors still in the process of remediating gaps.
CMMC 2.0 introduced a limited POA&M allowance. Contractors may receive conditional certification with an approved POA&M for certain controls, provided those items are remediated within 180 days of the assessment. However, specific controls are designated as immediately required with no POA&M eligibility. Understanding which controls fall into each category is essential to your pre-assessment planning. This is precisely the kind of nuanced guidance that a Regulatory vCISO can help your team navigate before you sit down with a C3PAO.
Waivers and Contract Flexibility
CMMC 1.0 had no formal waiver process. CMMC 2.0 introduced a narrow, senior-level DoD waiver process for mission-critical situations. This is not a routine pathway — it requires Secretary-level approval and must not create unacceptable risk to national security. For practical purposes, waivers should not factor into your compliance planning. Assume you will need to meet the required level for any contract that includes FCI or CUI.
Subcontractor Flow-Down Requirements
Both versions require prime contractors to flow CMMC requirements down to subcontractors who handle CUI or FCI. CMMC 2.0 did not change this expectation. If your subcontractors are not meeting the required certification level, your organization is at risk. This is especially relevant for manufacturers, system integrators, and aerospace suppliers with layered supply chains. Contractors in the aerospace and defense sector in particular should conduct due diligence on their entire subcontractor ecosystem.
Key Differences at a Glance
- Number of levels: CMMC 1.0 had five; CMMC 2.0 has three.
- Unique practices: CMMC 1.0 included DoD-specific practices; CMMC 2.0 relies entirely on NIST standards.
- Self-assessment: Not available in CMMC 1.0; available at Levels 1 and select Level 2 under CMMC 2.0.
- POA&M allowance: Not permitted under CMMC 1.0; conditionally permitted under CMMC 2.0.
- Waivers: No waiver process in CMMC 1.0; limited senior DoD waiver process introduced in CMMC 2.0.
- Government-led assessments: CMMC 1.0 relied solely on C3PAOs; CMMC 2.0 introduces DIBCAC-led assessments at Level 3.
What This Means for Your Compliance Program Right Now
The transition to CMMC 2.0 is no longer hypothetical. The final rule is in effect, and DoD contracts are actively incorporating CMMC requirements. Contractors who treated CMMC 1.0 planning as a holding pattern need to reassess their posture against the current requirements immediately.
The most important immediate steps are: confirm which CMMC level applies to your contracts, assess your current NIST SP 800-171 implementation score in SPRS, identify POA&M-eligible gaps versus hard requirements, and determine whether you need a C3PAO or qualify for self-assessment. A structured compliance program development engagement can accelerate this process significantly and ensure you are building toward certification rather than just checking boxes. You may also want to review our post on how to prepare for your CMMC audit for a practical pre-assessment checklist.
Get Expert Guidance on CMMC 2.0 Compliance
Understanding the differences between CMMC 1.0 and CMMC 2.0 is the first step. Executing a defensible, audit-ready compliance program is the work that follows. At Cleared Systems, we have guided defense contractors, subcontractors, and federal suppliers through every stage of this process. Whether you are starting your gap assessment, remediating findings, or preparing for a C3PAO audit, our team is ready to help. Request a quote today to speak with a CMMC compliance expert about where your organization stands and what it takes to get where you need to be.