Changes to CMMC – Introducing CMMC 2.0!

Changes to CMMC – Introducing CMMC 2.0!

The Cybersecurity Maturity Model Certification (CMMC), the five cybersecurity maturity level framework was introduced last year to better protect the pentagon’s networks and sensitive controlled unclassified information against cyberattacks!

This framework affects MORE than 300,000 contractors and subcontractors in the defense industry base and their level of security is determined based on the security requirement needed to hold each defense contract.

The requirements were to be released over time and by 2026 all defense contracts were expected to adhere to CMMC requirements. After an internal review of the program and receiving pushback from companies concerned with the challenges and cost of implementing the initial framework, the Pentagon announced CMMC 2.0.

CMMC 2.0 Model

On November 4th, the new version of the framework was released which encompasses a new structure and updated requirements with the original goal of safeguarding sensitive information. Instead of the initial five compliance levels, CMMC 2.0 streamlines the model to just three: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3) and aligns the requirements with the NIST cybersecurity standards.

Source: Acquisition & Sustainment / Office of the Under Secretary of Defense – CMMC Model

By reducing the number of levels, the Pentagon aims to simplify the standards, minimize barriers to compliance, provide clarity on specific requirements and improve the ease of execution, especially for small businesses.

  • Level 1 - Foundational (same as the previous level 1)
  • Level 2 – Advances (previous level 3 and it mirrors NIST SP 800-171)
  • Level 3 – Expert (previous level 5 and it’s a subset of NIST SP 800-172 requirements)

The Department plans to release updated timelines, assessment guides, and scoping guidance within the upcoming weeks, but it’s important for affected organizations to start preparing accordingly.

As a SOC2® certified, Managed Service Security Provider (MSSP), our team at LANAIR will continue to monitor any changes made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements and are here to assist!

If you have any additional questions regarding the changes or where you stand in the new framework send us an email to

Improve your overall cybersecurity posture by empowering your workforce to recognize and prevent social engineering attacks. Our FREE eBook will teach you how to design and implement a cybersecurity awareness training program that works.LEARN MORE HERE