If you read about CMMC a few years ago and found five levels and a mandatory audit for everyone, that was CMMC 1.0. It is gone. The version that actually applies to your contracts is CMMC 2.0, and it is meaningfully simpler. Here is what it is and what changed.
What CMMC 2.0 is
CMMC 2.0 is the current version of the Cybersecurity Maturity Model Certification, the DoD program that verifies its contractors protect federal information. It was announced in 2021 and finalized in the 2024 rules. The goal was to keep the security bar high while cutting the complexity and cost that made the original model unworkable for small businesses.
What changed from CMMC 1.0
| CMMC 1.0 | CMMC 2.0 | |
|---|---|---|
| Levels | 5 | 3 |
| Assessment | Third party for nearly everyone | Self assessment for L1 and many L2 contracts |
| Maturity processes | Extra process maturity requirements | Removed; aligned to NIST SP 800-171 |
| Level 2 standard | Custom control set | The 110 requirements of NIST SP 800-171 |
| POA&Ms | Not allowed | Allowed at L2 under the 88 rule |
The headline changes: fewer levels, self assessment restored for a large share of contractors, and Level 2 mapped cleanly onto a standard that already existed. For a small contractor, CMMC 2.0 is both cheaper and clearer than what came before.
The three levels
- Level 1: Federal Contract Information (FCI). 15 safeguarding requirements. Self assessed and affirmed annually in SPRS.
- Level 2: Controlled Unclassified Information (CUI). The 110 requirements of NIST SP 800-171. Self assessed or C3PAO assessed.
- Level 3: the most sensitive programs. Level 2 plus a subset of NIST SP 800-172, assessed by the government.
Which level applies to you is decided entirely by the information your contracts hand you. See do you actually handle CUI for the test.
The rollout timeline
- Dec 16, 2024: the CMMC Program Rule (32 CFR Part 170) took effect.
- Nov 10, 2025: the DFARS acquisition rule that puts CMMC into contracts took effect (Phase 1).
- Nov 10, 2026: Phase 2 begins. Applicable solicitations start requiring a current Level 2 status as a condition of award.
Follow the moving pieces on the State of CMMC timeline.
What it means for you
For most small defense contractors, CMMC 2.0 is good news: the path is shorter than 1.0 promised, and Level 1 is fully self serve. The one thing that has not changed is that you have to know your level and start early, because getting ready, especially for Level 2, takes months.
Frequently asked questions
What is CMMC 2.0?
CMMC 2.0 is the current version of the Cybersecurity Maturity Model Certification, the Department of Defense program that verifies contractors protect federal information. Announced in 2021 and finalized in the 2024 rules, it streamlined the original model to three levels, aligned Level 2 directly with NIST SP 800-171, and restored self assessment for many contractors. It is the version now phasing into DoD contracts.
How is CMMC 2.0 different from CMMC 1.0?
CMMC 1.0 had five maturity levels and required a third-party assessment for essentially everyone. CMMC 2.0 reduced that to three levels, dropped the extra maturity processes, aligned Level 2 exactly with the 110 requirements of NIST SP 800-171, and allowed self assessment for Level 1 and for many Level 2 contracts. It is simpler and less costly for most small contractors.
What are the three levels of CMMC 2.0?
Level 1 covers Federal Contract Information (FCI) with 15 safeguarding requirements, self assessed. Level 2 covers Controlled Unclassified Information (CUI) with the 110 requirements of NIST SP 800-171, self assessed or assessed by a C3PAO. Level 3 is for the most sensitive programs and is government assessed against Level 2 plus a subset of NIST SP 800-172.
When does CMMC 2.0 take effect?
It is phasing in. The program rule (32 CFR Part 170) took effect December 16, 2024, and the acquisition rule that puts CMMC into contracts took effect November 10, 2025. Phase 2 begins November 10, 2026, when applicable solicitations start requiring a current Level 2 status as a condition of award.
Does CMMC 2.0 require third-party assessment?
Not for everyone. Level 1 is always self assessed. Many Level 2 contracts accept a self assessment filed in SPRS with an annual affirmation, while others require certification by an accredited C3PAO. Restoring self assessment for a large share of contractors was one of the biggest changes from CMMC 1.0.