Skip to content
CyberAutopsySHIELD · COMPLIANCE
CMMC Level 2ServicesThe MethodIndustriesResourcesAbout Client PortalBook Contract Risk Audit →
GUIDE · CMMC FUNDAMENTALS

CMMC 2.0 vs CMMC 1.0. What actually changed.

The framework collapsed from five levels to three. What survived, what was simplified, and what every DoD contractor needs to internalize before the next solicitation.

BY M. Okafor, Managing Partner· Updated 2026-04-12· 9 min read

In November 2021, the Department of Defense rewrote the CMMC framework. The version most contractors had begun preparing for — with five maturity levels, a heavy emphasis on process maturity, and limited room for self-assessment — was replaced with what we now call CMMC 2.0. The rewrite was meant to reduce the burden on small contractors. In practice, the changes shifted the burden, they did not remove it.

This is the plain-language read of what changed, what survived, and what it means for your next bid. Written from inside the assessment community.

What actually changed

Three structural changes define the difference between CMMC 1.0 and CMMC 2.0. Everything else is a downstream consequence of these three.

  1. The five maturity levels collapsed to three.
  2. Self-assessment is allowed at Level 1 and a subset of Level 2.
  3. POA&Ms are permitted again at certification, with constraints.

Five levels collapsed to three

Under CMMC 1.0, contractors faced a five-level ladder. Levels 1 through 3 mapped roughly to FAR 52.204-21 and subsets of NIST SP 800-171. Levels 4 and 5 introduced advanced and cutting-edge maturity expectations with no clean mapping to existing standards.

CMMC 2.0 reorganized into three levels with a clean basis in established federal standards:

  • Level 1 (Foundational): Maps to FAR 52.204-21 — 17 basic safeguarding practices for Federal Contract Information (FCI). Annual self-assessment.
  • Level 2 (Advanced): Maps to the 110 controls of NIST SP 800-171 Rev. 2. This is the bar for any contractor handling Controlled Unclassified Information. C3PAO assessment required for prioritized contracts.
  • Level 3 (Expert): Maps to a subset of NIST SP 800-172 enhanced controls. Assessed by the DoD itself. Reserved for contractors supporting the highest-priority DoD programs.
FIELD NOTE

If you handle CUI, your target is Level 2. Do not be talked into a higher target unless your program of record explicitly requires Level 3.

Self-assessment vs C3PAO assessment

CMMC 1.0 required third-party assessment at every level above Level 1. CMMC 2.0 introduces two pivotal distinctions:

  • Level 1: Annual self-assessment, affirmed by a senior official, score posted to SPRS.
  • Level 2 (non-prioritized): Triennial self-assessment with annual affirmation. Limited applicability — the program rule reserves this for a narrow set of contracts.
  • Level 2 (prioritized): Triennial C3PAO assessment, annual affirmation. This is the practical bar for the overwhelming majority of contractors handling CUI.
  • Level 3: Triennial DoD-led assessment.

Self-assessment sounds like a relief. It is not. A self-assessment carries the same legal weight as a C3PAO assessment, with one critical difference: when a self-assessed score is later found to be inflated, the contractor — not an assessor — bears the False Claims Act exposure.

POA&Ms returned, under strict rules

CMMC 1.0 was unforgiving: every control had to be implemented at the time of assessment. No Plan of Action and Milestones was permitted. CMMC 2.0 restored a constrained POA&M, with three guardrails:

  1. A minimum SPRS score must be achieved at certification (currently 88 of 110). Below that, no POA&M is permitted at all.
  2. High-value controls cannot be on a POA&M. Specifically, controls weighted at 5 points (e.g., FIPS-validated cryptography, multifactor authentication for privileged users, system boundary protection) must be fully implemented.
  3. POA&Ms close in 180 days. Failure to close results in suspension of certification.

We treat POA&Ms as a scalpel, not a parachute. The full mechanics live in our companion post on POA&M mechanics under CMMC 2.0.

NIST 800-171 alignment, confirmed

CMMC 1.0 introduced practices that did not cleanly map to NIST SP 800-171. Contractors were being asked to implement controls that did not exist in any other federal standard, and to do so against an assessment methodology that was still being authored. CMMC 2.0 returned to a clean alignment: Level 2 is NIST SP 800-171 Rev. 2, full stop.

Assessment is performed against the corresponding NIST SP 800-171A determination statements. If you read 800-171A carefully, you read CMMC Level 2 assessment.

What survived from CMMC 1.0

  • The 110-control inventory of NIST SP 800-171 Rev. 2.
  • The C3PAO accreditation pathway and the CMMC-AB (now Cyber AB) governance body.
  • The RPO program for readiness providers.
  • The federal conflict-of-interest separation between RPO and C3PAO services.
  • The SPRS scoring methodology and the −203 to +110 range.

What it means for you

If your CMMC 1.0 preparation was thorough, most of it carries forward. The 110-control Implementation effort is the same. What changed is the assessment posture and the POA&M latitude. The two questions you need to answer this quarter:

  1. Is your target Level 1 (FCI only) or Level 2 (CUI handling)? — the answer is dictated by your contract language, not by your IT team's preference.
  2. Will your Level 2 path be self-assessment or C3PAO assessment? — the answer depends on whether your contracting officer has flagged your award as prioritized.

Both answers are in your contract or in the prime's flow-down letter. They are not debatable. We help contractors confirm the answer in a 15-minute triage call before they spend the first dollar of CMMC budget.

15-MINUTE TRIAGE

Need this read by a partner?

Bring this article to a Contract Risk Audit and we will tell you, against your CAGE code and contract value, exactly where the risk sits.

Book a Contract Risk Audit →
RELATED READING
GUIDE

DFARS 252.204-7012: The 14 Obligations You Must Document

Read →GUIDE

POA&M Mechanics Under CMMC 2.0: A Surgical Read

Read →REFERENCE

CMMC Level 2: 110 Controls, SPRS, POA&M, Timeline

Read →