Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS

CMMC 1.0 vs. CMMC 2.0: What's Changed and What It Means for Your Business

Home Glossary CMMC 1.0 vs. CMMC 2.0: What’s Changed and What It Means for Your Business

The Cybersecurity Maturity Model Certification (CMMC) is a set of overarching cybersecurity standards and practices that organizations in the Defense Industrial Base (DIB) must implement to protect their business data. Introduced by the U.S. Department of Defense (DoD) in 2020, CMMC was designed to protect the confidentiality of federal contract information (FCI) and controlled unclassified information (CUI).

The CMMC certification process is arduous but our CMMC 2.0 compliance roadmap can help.

Because of the sensitivity of information handled by companies that contract with the Department of Defense (DoD), contractors and subcontractors are required to achieve compliance with at least one level of the CMMC. In doing so, organizations operating within the DoD supply chain must meet and maintain a good cybersecurity posture. Phased implementation begins later this year with late 2025 targeted for full implementation.

What Is CMMC?

The Cybersecurity Maturity Model Certification, or CMMC, is a unified set of cybersecurity standards and practices applicable to all DoD contractors. It provides a unified set of requirements that organizations must meet to protect FCI and CUI from unauthorized access and modification. CMMC is designed to ensure that DoD contractors comply with government cybersecurity regulations and prevent the unauthorized handling and dissemination of sensitive content.

Why Is It Important?

CMMC is important for two reasons. First, it provides organizations with a framework for meeting DoD cybersecurity standards. Second, it helps organizations protect the confidentiality of FCI and CUI. This is important for DoD contractors, as the unauthorized access or modification of FCI and CUI could result in significant financial, reputational, and legal repercussions.

CMMC 1.0 vs. CMMC 2.0

Who Must Obtain CMMC Certification?

Any organization within the defense industrial base (DIB) that handles federal contract information (FCI) or controlled unclassified information (CUI) as part of a DoD contract must achieve CMMC certification at the level specified in the contract. This includes prime contractors, subcontractors at all tiers, consultants, and potentially cloud service providers or managed service providers supporting these organizations.

If your organization only handles FCI, you’ll typically need Level 1 certification. If you handle CUI, you will likely require Level 2 or, for highly sensitive CUI programs, Level 3. Relevant contractual clauses like DFARS 252.204-7012, 7019, 7020, and the upcoming 7021 mandate these cybersecurity requirements and require prime contractors to flow them down to subcontractors. For example, a small machine shop subcontracting for a large aerospace prime contractor will need CMMC certification if their work involves CUI, such as technical drawings or specifications.

From CMMC 1.0 to CMMC 2.0

In November 2021, the DoD announced that it would be implementing CMMC 2.0 in place of CMMC 1.0. This updated framework implements several changes to increase the cyber hygiene of all contractors that hold or participate in DoD contracts. The DoD announced it would engage in rulemaking over the subsequent 9 to 24 months, making it critical for federal contractors and subcontractors to prepare for the implementation of CMMC 2.0 so that they can achieve compliance.

CMMC 1.0, released in 2020, includes control domains and security practices, which are divided into five security maturity levels ranging from basic cyber hygiene (Level 1) to advanced/progressive (Level 5). CMMC 2.0 reduced the maturity levels from 5 to 3. CMMC 2.0 removed Levels 2 and 4. Maturity Level 1 remained unchanged. It still has 17 practice requirements that align with the 15 cybersecurity practices in FAR Clause 52.204-21.

CMMC 2.0 Level 2 takes the place of the previous maturity Level 3, but without the delta 20 practices, aligning this level with the 110 practices of NIST SP 800-171. CMMC 2.0 Level 3 is still under development based on a subset of NIST 800-172. It takes the place of the previous maturity Levels 4 and 5.

Why the DoD Introduced CMMC 2.0

The transition from CMMC 1.0 vs 2.0 was driven by several strategic goals aimed at refining the program based on stakeholder feedback and evolving cybersecurity needs.

Key objectives included: aligning CMMC requirements more closely with established standards like NIST SP 800-171 to reduce redundancy; simplifying the model by reducing the number of CMMC levels from five to three; reducing the assessment burden and costs, particularly for small businesses, by allowing a self-assessment for Level 1 and some Level 2 contracts; and enhancing overall supply chain security by focusing efforts on protecting CUI.

Announced in November 2021, CMMC 2.0 aimed to streamline implementation through a phased rollout tied to DoD rulemaking, offering businesses greater clarity on requirements, more flexible assessment options, and a more scalable approach to cybersecurity maturity.

CMMC 1.0 vs. CMMC 2.0: Major Differences

Some of the major differences that came with the introduction of CMMC 2.0 from CMMC 1.0 include:

Certification Levels

The CMMC 1.0 model established five certification levels, while the CMMC 2.0 model has consolidated the certification levels to three. The certification levels are critical for determining the security requirements for the specific contract.

CMMC 2.0 Level 1 (Foundational) is necessary for DoD contractors and subcontractors that handle FCI. CMMC 2.0 Level 1 requires organizations to adhere to basic cybersecurity practices focused on protecting FCI, as specified in FAR Clause 52.204-21.

CMMC 2.0 Level 2 (Advanced) requires organizations to have more robust cybersecurity practices in place, such as access control, incident response, and media protection. This level is designed to protect the integrity and availability of CUI from more sophisticated threats. The Advanced level is aligned with National Institute of Standards & Technology SP 800-171 (NIST 800-171). This level requires triennial third-party assessments by a CMMC Third Party Assessor Organization (C3PAO).

Level 3 (Expert) is the highest level of CMMC and requires the implementation of advanced practices such as system hardening and data recovery. This level is designed to protect the confidentiality, integrity, and availability of CUI from advanced persistent threats. Information on Level 3 will be released later and will contain a subset of the security requirements specified in NIST SP 800-172.

Domain Structure

The number of security domains included in the CMMC 2.0 model has increased significantly when compared to the CMMC 1.0 model. The additional domains relate more closely to day-to-day operations and include topics such as Incident Response, Anomaly Detection, Supply Chain Risk Management, and System Security Planning. These new domains provide a more comprehensive view of a contractor’s operations and provide more assurance of the security of their assets.

Third-party Assessors

The CMMC 2.0 model requires the use of C3PAO for Level 2 and Level 3. C3PAOs are entrusted with assessing and certifying that companies in the DIB supply chain have met the cybersecurity requirements of the CMMC standard. Their responsibilities include evaluating and issuing certificates of adherence to the CMMC standard.

 

Core Security Domains in CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is structured around a set of security domains that align closely with the requirements in NIST SP 800-171 and, at the highest level, NIST 800-172. These domains represent core areas of cybersecurity practices that organizations must implement and mature over time, depending on the CMMC level they seek to achieve. Below is a summary of the key CMMC 2.0 domains, highlighting their purpose and how the requirements scale across CMMC Levels 1, 2, and 3:

  • Access Control (AC): Limit system access to authorized users, processes, or devices. Requirements scale significantly from Level 1 to Level 2.
  • Awareness and Training (AT): Ensure users are aware of security risks and trained to perform their duties securely. Applies to all levels, with more rigor at Level 2/3.
  • Audit and Accountability (AU): Create, protect, and retain system audit records to enable monitoring, analysis, investigation, and reporting. Primarily Level 2/3 requirement based on NIST SP 800-171.
  • Configuration Management (CM): Establish and maintain baseline configurations and manage changes to systems. Primarily Level 2/3 requirement.
  • Identification and Authentication (IA): Identify and authenticate organizational users (or processes acting on behalf of users). Requirements scale from Level 1 to Level 2.
  • Incident Response (IR): Establish capabilities to detect, analyze, contain, eradicate, and recover from incidents. Primarily Level 2/3 requirement.
  • Maintenance (MA): Perform maintenance on organizational systems. Primarily Level 2/3 requirement.
  • Media Protection (MP): Protect and control system media containing CUI. Requirements scale from Level 1 to Level 2.
  • Personnel Security (PS): Screen individuals prior to authorizing access. Primarily Level 2/3 requirement.
  • Physical Protection (PE): Limit physical access to systems and facilities. Requirements scale from Level 1 to Level 2.
  • Risk Assessment (RA): Assess and manage risks associated with operating organizational systems. Primarily Level 2/3 requirement.
  • Security Assessment (CA): Assess security controls effectiveness and manage remediation actions. Primarily Level 2/3 requirement.
  • System and Communications Protection (SC): Monitor, control, and protect organizational communications. Requirements scale from Level 1 to Level 2.
  • System and Information Integrity (SI): Identify, report, and correct information flaws in a timely manner. Requirements scale from Level 1 to Level 2.
  • Recovery (RE): N/A in CMMC 2.0 directly, covered within other domains like IR, CP (Contingency Planning in NIST 800-171).
  • Situational Awareness (SA): N/A in CMMC 2.0 directly, concepts integrated into other domains like IR, CA.
  • Asset Management (AM): Included within other domains like CM, CA. Effectively, the CMMC 2.0 domains map directly to the 14 families of requirements found in NIST SP 800-171 for Level 2, plus the basic safeguarding requirements from FAR 52.204-21 for Level 1. Level 3 builds upon Level 2 with requirements derived from NIST SP 800-172.

These domains have specific requirements that defense contractors must meet in order to demonstrate CMMC compliance. For more on these domains, including their requirements and best practices for compliance check out: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System and Information Integrity.

Compliance Requirements at Each CMMC 2.0 Level

CMMC 2.0 defines three distinct maturity levels, each tailored to the sensitivity of the information an organization handles and the threat environment in which it operates. As organizations progress from Level 1 to Level 3, the requirements become increasingly rigorous, reflecting the growing need for robust cybersecurity practices to protect federal information. Below is an overview of each level, including the types of data protected, required practices, assessment expectations, and documentation standards:

Level 1 (Foundational):

  • Data Scope: Protects Federal Contract Information (FCI).
  • Practices: 14 basic safeguarding requirements aligned with FAR 52.204-21.
  • Assessment: Annual self-assessment submitted to the Supplier Performance Risk System (SPRS).
  • Documentation: Basic policies and procedures sufficient to implement the 14 practices. POA&Ms are not permitted for compliance.

    • Level 2 (Advanced):

  • Data Scope: Protects Controlled Unclassified Information (CUI).
  • Practices: 110 practices fully aligned with NIST SP 800-171 Rev 2.
  • Assessment: Depends on the CUI handled. Some contracts may allow annual self-assessment, while others (handling critical CUI) require a triennial third-party assessment conducted by an accredited C3PAO.
  • Documentation: Requires a System Security Plan (SSP), Plan of Action & Milestones (POA&M) for unmet requirements (with strict limitations and timelines), and evidence of implementation for all 110 controls.

    • Level 3 (Expert):

  • Data Scope: Protects CUI associated with programs involving Advanced Persistent Threats (APTs).
  • Practices: All 110 practices from NIST SP 800-171 plus a subset of NIST SP 800-172 requirements (details still under finalization).
  • Assessment: Triennial government-led assessment conducted by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
  • Documentation: Requires SSP, POA&M (likely with stricter limitations than Level 2), and extensive evidence demonstrating implementation of enhanced controls against APTs.

Key administrative controls include developing and maintaining the SSP, conducting regular risk assessments, managing POA&Ms, providing security awareness training, and having incident response plans. Technical controls span areas like access control, encryption, system monitoring, vulnerability management, and configuration management, increasing in rigor across the CMMC levels.

Best Practices for Achieving CMMC 2.0 Compliance

For an organization to successfully comply and be certified for any of the three levels of CMMC 2.0 compliance, it needs to follow some best practices, which include:

Implement Security Controls

The first step in achieving CMMC 2.0 compliance is to implement security controls. To begin, organizations should identify their current compliance requirements and establish a baseline risk assessment that outlines the scope of the security controls that must be implemented. Security controls should be tailored to an organization’s specific needs, making sure that all systems and processes are covered. Organizations should take into consideration the technical and procedural measures necessary to protect information and systems, such as access control, identity and authentication management, configuration management, segregation of duties, data security, system patching and vulnerability management, security training, and incident response plans.

Conduct Continuous Monitoring

Once the security controls are in place, organizations should ensure they are continuously monitored. Continuous monitoring involves regularly assessing the environment to ensure the effectiveness of the security controls implemented and that current threats are identified and addressed in a timely manner. Organizations should develop a process to identify, assess, and remediate any issues that may arise during monitoring activities. This process should include measures to document any security incidents, review security activities and trends, and take appropriate actions when necessary.

Establish Incident Response Plans

Organizations should also establish an incident response plan prior to attempting CMMC 2.0 compliance. This plan should outline the steps an organization will take if it experiences a security incident, such as the types of incidents that will trigger a response, the roles and responsibilities of personnel involved, the processes to be followed, and the appropriate communication activities. It is also important for organizations to develop a plan for recovering from a security incident, including identifying the data and systems to be restored, the steps necessary to restore them, and the personnel that should be notified. Additionally, organizations should make sure to regularly review and update their incident response plans to ensure they are up to date and effective.

Document Compliance

Organizations should document their processes and activities to demonstrate compliance with CMMC 2.0. Documentation should include any security policies, procedures, and training activities; incident response plans; and assessment results. It is important to ensure that all documentation is accurate, up to date, and easily accessible. Organizations should also make sure that all personnel are familiar with the documentation, including how to use it and what it covers. Additionally, organizations should develop procedures to ensure that the documentation is regularly reviewed and updated to keep pace with changes in the environment.

CMMC 2.0 Compliance Checklist

Achieving and maintaining CMMC 2.0 compliance requires a structured and proactive approach. Whether preparing for a self-assessment or a formal third-party review from a C3PAOs, organizations must take deliberate steps to align their cybersecurity posture with the appropriate maturity level. The following actions outline a typical roadmap for organizations seeking CMMC certification, from scoping and gap analysis to formal assessment and ongoing compliance:

  • Determine Scope and Required Level: Identify all systems handling FCI and CUI and determine the required CMMC level (Level 1, 2, or 3) based on contract clauses and data sensitivity.
  • Conduct Gap Analysis: Assess your current cybersecurity posture against the specific practices required for your target level (FAR 52.204-21 for CMMC Level 1, NIST 800-171 for CMMC Level 2, NIST SP 800-171 + NIST 800-172 subset for CMMC Level 3).
  • Develop/Update System Security Plan (SSP): Document how each required security control is implemented (or planned to be implemented). Templates and guidance are available on the DoD CMMC website.
  • Create Plan of Action & Milestones (POA&M): For any identified gaps (applicable primarily to Level 2 preparation, though POA&Ms have limited use for the actual assessment), document the remediation plan, resources needed, and completion timeline.
  • Implement Remediation Actions: Execute the POA&M items, implementing necessary security controls, policies, and procedures to close identified gaps.
  • Conduct Self-Assessment: Perform a thorough internal self-assessment (required annually for Level 1 and some Level 2 contracts) to verify control implementation and readiness. Submit scores to SPRS as required.
  • Select C3PAO (if applicable): For Level 2 (requiring third-party assessment) and Level 3 (government assessment, possibly supported by C3PAOs), select an accredited CMMC Third-Party Assessor Organization (C3PAO) from the Cyber AB Marketplace.
  • Undergo Formal Assessment: Coordinate and complete the required assessment (Self, C3PAO, or Government DIBCAC). Provide necessary documentation and evidence.
  • Maintain Continuous Monitoring: Cybersecurity is ongoing. Continuously monitor, review, and update security controls, documentation (SSP, POA&M), and practices to maintain compliance between assessments. Stay informed on CMMC rulemaking updates via official DoD channels.

Frequently Asked Questions

Why Is CMMC Compliance Important?

The DoD mandates that all contractors adhere to the CMMC requirements to be eligible for government contracts. This ensures that these contractors understand and are actively implementing protective measures against malicious actors and data breaches. CMMC compliance is also important for organizations to demonstrate their commitment to cybersecurity and demonstrate that sensitive customer data is properly protected.

What Are CMMC Security Requirements?

CMMC security requirements are a set of security standards designed to help organizations secure their networks, protect their data, and comply with applicable laws and regulations. The requirements are divided into the three CMMC 2.0 levels outlined above and cover areas such as access control, configuration management, incident response, media protection, system and communications protection, personnel security, and physical protection.

How Do CMMC Requirements Differ From NIST SP 800-171 Requirements?

CMMC 2.0 Level 2 is aligned with NIST SP 800-171, specifying that organizations in the DIB to self-certify—either be compliant or to take concrete steps toward compliance. CMMC Levels 2 and 3 make provisions for C3PAOs to assess organizations and assign a maturity level based on the state of its cybersecurity program. Level 1, the Foundational level, only requires self-assessment.

Accelerating CMMC Compliance With Kiteworks

Kiteworks is a trusted provider of cybersecurity solutions for federal agencies like the DoD as well as various DIB suppliers that require CMMC certification. Because Kiteworks is FedRAMP Authorized for Moderate Level Impact, DoD suppliers using Kiteworks benefit from support for nearly 90% of CMMC 2.0 Level 2 requirements out of the box. This significantly reduces the time required for DoD contractors and subcontractors to obtain CMMC Level 2 compliance.

This translates into positive outcomes when a DoD supplier goes through a C3PAO audit. Specifically, the Kiteworks Private Content Network helps them streamline the CMMC processes and audit procedures, making the whole process faster and more efficient. With Kiteworks’ support, DoD contractors can protect their DoD business by obtaining CMMC compliance quickly and easily.

Schedule a custom demo tailored to see the Kiteworks platform in action and how it can accelerate your CMMC compliance journey.

 

Back to Risk & Compliance Glossary

 

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo
Share
Tweet
Share
Explore Kiteworks