Update 11/10: CMMC compliance is now mandatory for all new Department of War (formerly DoD) contracts as of November 10, 2025. During Phase 1, organizations handling Federal Contract Information (FCI) must complete a Level 1 self-assessment and submit it to the Supplier Risk Performance System (SRPS) before contract award, while some contractors may also need Level 2 assessments.
The Evolution of CMMC Compliance
There's been a lot of talk regarding CMMC within the security sphere. The Cybersecurity Maturity Model Certification(CMMC) may seem like just another compliance being leveled against SMB's in a long list of government regulations and certifications, however this couldn't be farther from the truth.
CMMC has provided organizations working within the Defense Industrial Base a standardized list of best practices to protect sensitive date. One of CMMC's greatest strengths is it's ability to scale and dynamically change to address current cyber threats, effective security controls, and practicality for SMB's. CMMC 1.0 was established in early 2020 and just about two years later CMMC is now on its streamlined version 2.
This leaves an important question. What's the difference between CMMC 1.0 and 2.0?
The Purpose of CMMC 2.0
When the Defense Industrial Base(DIB) first revealed their intentions to include CMMC 1.0 into all of their contracts the original response was skeptical. For some organizations the strict and numerous regulations, controls, and audits made CMMC a huge budgetary and practical concern. For starters, CMMC 1.0 contained 5 maturity levels with the more advanced levels containing 100+ processes each. Depending on your organization size, preexisting security posture, and IT infrastructure implementing these controls could prove a costly endeavor. This is where CMMC 2.0 comes into play. Realizing that the numerous controls may create a larger barrier of entry than anticipated in latte 2021 the DIB alongside NIST depreciated CMMC 1.0 in exchange for version 2. CMMC 2.0 streamlined the maturity levels of the previous iteration from 5 levels to 3 maturity levels. These levels removed the transitional levels and controls of 1.0 and folded them into 3 Foundational, Advanced, and Expert levels.
The Big Difference
As previously mentioned CMMC 2.0 streamlines the maturity levels of version 1 into 3 primary levels: Foundational, Advanced, and Expert levels.
The "Foundational" level is the new "level" one and contains 17 practices for organizations to follow as well as allows for annual self evaluations. Due to the beginner level nature of this level organizations are allowed to annually evaluate their own company and maturity level including staff, IT systems, preexisting controls, processes not yet implemented etc.
The "Advanced" level drops 20 security requirements from the original CMMC model and requires organizations to implement 110 security practices that are all aligned with NIST SP 800-171. This level does call for annual self-assessments for certain programs, however triannual third-party assessments for critical national security information is required for organizations seeking compliance with this level. Compliance with level 2 of CMMC 2.0 will show that organizations are capable of securely storing/sharing Controlled Unclassified Information(CUI).
Finally, the "Expert" level requires over 110 practices all based on NIST SP 800-172 in a similar fashion to the advanced level. Outside of a few extra practices and controls the expert level requires triannual government-led assessments. Self evaluations and third-party assessments are not sufficient for this maturity level.
Let CorpInfoTech help you learn more about CMMC compliance!
CorpInfoTech is a CMMC Level 2 (C3PAO) certified MSP that has passed our audit with a perfect 110, making us one of the first MSPs to achieve level 2 compliance
