Get Started
CMMC 2.0 is Here: 6 Key Updates

SaltyCloud Research Team

Updated Nov 19, 2021 Read Time 5 min


The DoD released CMMC 2.0 in 2021, simplifying the cybersecurity certification program for contractors while confirming the fast-approaching compliance deadline.

On November 4, 2021, the Department of Defense (DoD) released the much-anticipated updates to the Cybersecurity Maturity Model Certification (CMMC), dubbed “CMMC 2.0”, following a comprehensive review of over 850 public comments in response to the interim rule establishing CMMC 1.0. The updates simplify the program and reduce it in both scope and expectations, making it easier to understand and more feasible for contractors.

While the simplifications may be welcome, the updates are also confirmation that the requirement for contractors to comply with CMMC is fast approaching. The DoD has indicated that CMMC certification will become a contractual requirement once they finalize the rulemaking between August 2022 and November 2023.

In this article, we’ll go over six key updates from CMMC 1.0 to CMMC 2.0, what you can expect next, and how you can start preparing.

What changed in CMMC 2.0?


Key revisions from CMMC 1.0 to CMMC 2.0 include simplifying the level structure and changes to the required security practices (aka controls), assessment process, certification process, and evidence requirements.

1. Levels are simplified and reorganized

CMMC 1.0 was structured around five levels, including two transition levels. In CMMC 2.0, the DoD removed those two transition levels, simplifying the structure to: “Foundational” (previously Level 1), “Advanced” (previously Level 3), and “Expert” (previously Level 5).

2. Controls are aligned with NIST

CMMC 1.0 used security controls from the National Institute of Standards and Technology (NIST) and introduced 46 additional practices that were specific to CMMC. In CMMC 2.0, those extra practices are eliminated, and the program now only uses NIST 800-171 and NIST 800-172 practices.

3. Process maturity requirements are eliminated

CMMC 1.0 required contractors to demonstrate that they had implemented the security practices and a certain level of process maturity to be certified. In CMMC 2.0, the process maturity requirements are eliminated, meaning contractors only have to demonstrate process implementation to be certified.

4. Self-assessments make a comeback and government-led assessments are introduced

CMMC 1.0 required contractors to be certified by a CMMC Third-Party Assessment Organization (C3PAO). In CMMC 2.0, self-assessments make a comeback and government-led assessments are introduced. For Level 1, contractors will be required to conduct annual self-assessments. For Level 2, contractors will be required to conduct self-assessments annually, be certified by a C3PAO every three years for prioritized acquisitions, or both depending on the contract. For Level 3, all contractors will be certified by a government-led assessment every three years.

5. Plan of Actions & Milestones (POAM) makes a comeback

CMMC 1.0 required contractors to have all practices implemented to be certified at Level 3 and Level 5. In CMMC 2.0, contractors may be granted the ability to implement time-bound (<180 days) POAMs to achieve full certification. Each contract will vary, but the DoD will specify which practices can be included as part of the POAM.

6. Limited waivers are introduced

CMMC 1.0 did now allow contractors to waive the CMMC requirements. In CMMC 2.0, the DoD will allow contractors, on a case-by-case basis and with senior leadership approval, to waive certain or all requirements under a specified timeline and associated risk mitigation plan. Such exemptions are expected to be limited, so contractors shouldn’t defer their preparations for CMMC certification based on the assumption they will be granted a waiver.

Do I need to comply with CMMC 2.0?


DIB suppliers must prepare for CMMC 2.0 compliance while adhering to the DFARS Interim Rule and completing a NIST 800-171 Basic Assessment.

All suppliers in the Defense Industrial Base (DIB) will need to comply with the relevant requirements of CMMC 2.0 when the rulemaking is finalized—likely between August 2022 and November 2023. In the meantime, contractors should continue to prepare for certification. Learn more with our guide, The Step-by-Step Guide to Prepare for a CMMC Certification.

Additionally, contractors are still required to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule, which was released on September 29, 2020. The interim rule requires contractors to conduct a NIST 800-171 Basic Assessment using the DoD Assessment Methodology and submit their score into the Supplier Performance Risk System (SPRS). Learn more with our guide, The Complete Guide to the NIST 800-171 Basic Assessment.

How Isora GRC from SaltyCloud can help


Isora GRC from SaltyCloud is the powerfully simple CMMC solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The race against time to prepare for CMMC is intensifying as organizations attempt to safeguard sensitive data and meet DoD requirements ahead of anticipated implementation in May 2023.

Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace CMMC compliance audits with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors and leadership.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect CUI and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
  • Minimize third-party risk with a complete vendor inventory, vendor risk assessment surveys, and vendor approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how companies use Isora GRC from SaltyCloud to ease the pressure of CMMC.

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

This guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule requiring IT security programs securing customer data

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling