Demystifying CMMC 2.0 Framework

CKSS Demystifying CMMC 2.0 Framework blog

What is CMMC 2.0?

The CMMC framework has existed for years (CMMC 1 guidelines were released in 2019). However, it needed updating due to the evolving nature of the threats faced by companies that partner with the DOD – and in November 2021, CMMC 2.0 guidelines were released. Companies are now required to reference the CMMC documentation to ensure compliance. This process can be both challenging and time-consuming. In most cases, an organization will need the guidance of a third-party expert to gauge their existing compliance – and, where necessary, make changes and improvements.

CMMC Levels

There are three levels of practice compliance required to achieve CMMC certification.

  • Level 1: Organizations are required to employ basic cybersecurity protocols across 17 practice areas. These are the basic requirements outlined in the Federal Acquisition Regulation Supplement (FAR 52.204-21 – 2016).
  • Level 2: Organizations must provide proof that they comply with the controls set out in NIST SP 800-171. These are already set out in DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement).
  • Level 3: This level requires compliance with the requirements of NIST SP 800-172, which was developed to assist organizations in guarding against hostile actions by non-government actors and is defined as Advanced Persistent Threats (APT). These actors have been identified as focused on the United States Department of Defense supply chain. NIST SP 800-172 provides a framework enabling in-depth protection of sensitive data.


  • Level 1: Self-assessments through SPRS reinstated for Level 1.
  • Level 2:
    • Contractor’s handling CUI are required at minimum to self-assess through SPRS using NIST 800-171 on an annual basis. A senior company official(e.g., CEO, CFO, etc.) must make the attestation.
    • Non-prioritized contracts can conduct their own internal annual self-assessment through SPRS.
    • Prioritized contracts are to conduct their own annual self-assessment through SPRS AND a C3PAO assessment every 3 years.
    • DOD has not identified which companies need to self-assess and which will require a third-party Assessor.
    • Whistleblower notifications and false claims Act Violations are potentially in play.

POAM and Waivers

  • Limited use of Plans of Action and Milestone (POAMs) will be allowed.
    • Strictly time-bound: Potentially 180 days. Contracting officers can use standard contractual remedies to address a contractor’s failure to meet their cybersecurity requirements after the defined timeline.
    • Limited use: POAMS for high-weighted requirements are not allowed.
  • Waivers
    • Only allowed in select mission-critical instances.
    • Strictly time-bound: Time to be determined on a case by case basis.
    • Will require Senior DOD approval.

Interim Program

  • Since the timeline to complete the Federal rulemaking process may be anywhere from 9 to 24 months, an interim voluntary program has been authorized.
  • Do not expect rule-making to change the underlying requirement to implement NIST SP 800-171.


  • Reciprocity with other cybersecurity standards has yet to be identified.
  • When to expect the NIST SP 800-171 Rev. 3 and future updates.
  • Practice inheritance and involvement of external service providers.
  • Cloud-native environments and zero trust architecture.
  • How companies will report and recoup CMMC business costs.
  • How federal program offices will be instructed to define, classify, and identify CUI.
  • Will the government implement any reciprocity with other US and International cybersecurity standards.


  • Contractors should get compliant since CMMC is not a new requirement, NIST SP 800-171 was first published in 2015, and DFARS 252.204-7012 has been enforced since December 2017.
  • Honestly, conduct self-assessments through the SPRS using NIST SP 800-171A.
  • CKSS provides CMMC consulting support for companies of all sizes. If you’re interested in learning more about CMMC compliance or you need a CMMC Gap Analysis, please contact us here.