Compliance

CMMC 2.0 Explained: All Your Questions Answered

Posted on by Dan Lauritzen
This comprehensive guide answers the most common questions about CMMC 2.0 in plain language.
08
Aug

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 has created uncertainty for many contractors. With new requirements and streamlined processes, understanding what this means for your business is crucial.

This comprehensive guide answers the most common questions about CMMC 2.0 in plain language. We’ll cover what changed, who needs to comply, and how to prepare your organization for these new cybersecurity requirements.

What Is CMMC 2.0?

CMMC 2.0 is the latest version of the DoD’s framework for safeguarding Controlled Unclassified Information (CUI). This updated model represents a significant shift from the original CMMC requirements that many contractors found complex and costly.

The framework is designed to simplify requirements while improving cybersecurity compliance across the defense industrial base. The DoD developed this streamlined approach to ensure contractors can protect sensitive information without overwhelming administrative burdens. The goal is to create a more practical pathway to compliance that works for businesses of all sizes.

Why Did the DoD Update to CMMC 2.0?

The original CMMC faced significant pushback from contractors who found it overly complex and expensive. The DoD listened to these concerns and made strategic changes to address key issues.

One primary reason for the update was to reduce complexity and cost for small and medium contractors. Many smaller businesses struggled with the original five-level structure and extensive assessment requirements.

The DoD also wanted to align more closely with existing federal cybersecurity requirements like NIST 800-171. This alignment reduces confusion and eliminates duplicate efforts for contractors already working toward compliance with other standards. The update also aims to speed up the implementation and enforcement of cybersecurity protections.

What Are the New Levels?

The new framework reduces the original five levels to three tiers, each designed for specific types of contracts and data handling requirements.

Level 1: Foundational

For contractors handling Federal Contract Information (FCI)

  • Requires 17 basic cyber hygiene practices
  • Annual self-assessment and affirmation required

Level 2: Advanced

For contractors handling Controlled Unclassified Information

  • Requires implementation of 110 security controls from NIST SP 800-171
  • Some companies will need third-party assessments, while others can self-assess depending on program risk

Level 3: Expert

For companies working on the most sensitive DoD programs

  • Based on NIST SP 800-172
  • Requires triennial government-led assessments

Who Needs to Comply with CMMC 2.0?

Any company in the defense supply chain that handles FCI or CUI must comply with the new framework. This includes prime contractors, subcontractors, cloud service providers, platform developers, system integrators, and any other company that handles FCI or CUI and is part of the DoD supply chain

The requirements apply to both US and international vendors working with the DoD. Location doesn’t matter—if you handle DoD information, you need to meet these standards.

What’s the Difference Between CMMC 1.0 and 2.0?

The differences between CMMC 1.0 and 2.0 are substantial and generally favor contractors seeking more practical compliance paths.

  • Fewer Levels: The most obvious change is fewer levels, reduced from five to three. This simplification eliminates confusion and creates clearer requirements for each tier.
  • Flexibility: Greater flexibility with self-assessments at Level 1 and some Level 2 contracts reduces costs significantly. Companies can avoid expensive third-party assessments when risk levels don’t justify the expense.
  • Faster Updates: The updated model also promises a faster timeline for rulemaking and implementation. This speeds up the entire process while giving contractors more predictable compliance deadlines.

How to Prepare for CMMC 2.0

Ready to begin prepping for this big change? Start by conducting a gap assessment against NIST 800-171. This assessment identifies areas where your current cybersecurity measures fall short of requirements. Use the results to create a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M). These documents are required for most CMMC levels.

Determine your likely CMMC level based on current contracts and the types of data you handle. Understanding your target level helps focus your preparation efforts. Since the framework went into effect in February of 2025, begin documenting and implementing required controls immediately.

How Can a Managed IT Provider Help?

Are you worried your business will still struggle to meet the new framework requirements on your own? A managed IT provider can be an invaluable resource in helping you prepare for and maintain compliance with CMMC.

Here are some specific ways a managed IT provider can assist you:

  • Advanced Assessments: Professional providers can conduct thorough readiness assessments and identify compliance gaps. They understand the technical requirements and can spot issues you might miss.
  • Control Implementation: Managed IT providers implement required technical controls like multi-factor authentication, encryption, and endpoint protection. They have the tools and expertise to deploy these solutions properly.
  • Expert Management: These providers can also manage documentation, training, and ongoing monitoring.
  • Friendly Support: When assessment time comes, managed IT providers offer audit support and compliance consulting. They can help you navigate the process and address any issues that arise.

Protect Your Defense Contracts with Simple Systems

Simple Systems understands that CMMC 2.0 compliance requires more than just checking boxes—it requires comprehensive cybersecurity planning and expert implementation. Our CMMC compliance services help Utah DoD contractors navigate the complexities of DFARS and NIST 800-171 requirements.

No matter where you start, we provide the tools and expertise to achieve full compliance. Don’t wait until the new requirements become mandatory. Contact one of our representatives today to schedule your CMMC consultation and ensure your defense contracts remain secure.

Dan Lauritzen

Dan is the Founder and CEO of Simple Systems, an IT support company based in Salt Lake City, Utah providing Managed IT Services for a host of clients with all the services of a full-time IT staff without the expense. Our primary goal is to provide the same service to our clients that we expect from others. Our work gets done quickly – we tend to delight and surprise our clients by finishing before the deadline. Simple Systems (SS) first opened its doors in 2007. Over the past 9 years, we have enjoyed working closely with 100’s of small businesses and home users around the Salt Lake Valley. In 2009, SS was honored to be nominated in the Utah Student 25. We are proud of this distinction and look forward to continued growth. In 2012, we opened our retail location in Holladay, Utah to provide home PC customers a more cost effective way to have service and support.