Skip to content

What you need to know about CMMC 2.0 requirements

Dr. Heather Buker |

May 17, 2023
What you need to know about CMMC 2.0 requirements


In early 2020, the US Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC), which has since gained significant attention. The CMMC program aims to enhance security by mandating certification of external contractors, of which there are over 300,000. Given the constant threat of cyber warfare to the defense industrial base (DIB), this program is critical for national security.

Although the fundamental objective of the CMMC remains the same, there have been notable revisions to the framework with the introduction of CMMC 2.0.

Important changes in CMMC 2.0 requirements

Here are a few significant changes as summarised below.

1. The framework for measuring cybersecurity maturity levels has been reduced from 5 to 3

Level 1 (Foundational): Any contractor handling Federal Contract Information (FCI) is required to attain this level. A notable change is that organizations will have the option to perform an annual self-assessment.

Level 2 (Advanced): This level is equivalent to the former Level 3 (Good Cyber Hygiene) and must be met by organizations dealing with Controlled Unclassified Information (CUI). Third-party (C3PAO) assessments are mandatory for certification, with very few exceptions.

Level 3 (Expert): This level is currently in development and will be based on a subset of NIST SP 800-172. The government will conduct the assessments for this level.

2. POAMs will be allowed in CMMC 2.0

Initially, POAMs (Plan of Action and Milestones) were not allowed as part of the CMMC framework as it was intended to confirm an organization's level of cybersecurity maturity entirely, without exceptions. This was to ensure that those who invested resources in cybersecurity were not at a disadvantage.

However, in CMMC 2.0, there are now a limited number of scenarios in which organizations can create POAMs to attain certification. Nevertheless, the POAMs must be fully executed within 180 days.

3. The total number of cybersecurity practices reduced

The new CMMC 2.0 framework has reduced the total number of practices from 171 to 156, providing a more streamlined and simplified set of cybersecurity practices for organizations to follow.

While the reduction in practices may make it seem easier for organizations to achieve compliance, it is important to note that the remaining practices are still demanding and require significant time, effort, and expertise to implement effectively. Organizations must carefully review the revised framework and assess their cybersecurity posture to ensure they are adequately prepared to meet the new requirements.

4. Cyber hygiene practices are integrated into the framework

CMMC 2.0 emphasizes the importance of cyber hygiene practices, which are critical for maintaining basic cybersecurity standards. These practices are integrated into the new framework to help organizations establish a strong foundation for their overall cybersecurity posture.

By implementing these practices, organizations can significantly reduce their risk of cyberattacks and protect sensitive data. While the cyber hygiene practices included in CMMC 2.0 are fundamental, they are essential for achieving compliance with the new requirements and should not be overlooked.

5. A greater emphasis on technology solutions

CMMC 2.0 places a greater emphasis on technology solutions as a key component of improving an organization's cybersecurity posture. The new framework recognizes that technology is constantly evolving and becoming more complex and that organizations must keep pace with these changes in order to stay secure.

To this end, CMMC 2.0 includes a set of practices that are focused on implementing and maintaining technology solutions that help to detect, prevent, and respond to cyber threats. Organizations must ensure that their technology solutions are up-to-date, effective, and properly configured to meet the new requirements, and should seek expert guidance to identify and implement the best solutions for their specific needs.

Final thoughts

CMMC 2.0 introduces new compliance requirements that organizations must meet in order to achieve certification. These requirements include more rigorous testing and assessment procedures, as well as increased emphasis on the use of technology solutions and the adoption of cyber hygiene practices.

In addition, the new requirements will be more tailored to the specific needs of each organization, based on factors such as the type of data they handle and the level of risk associated with their operations.

Organizations must be able to demonstrate their compliance with the new requirements. 6clicks is a platform that helps organizations achieve and maintain compliance. The AI engine Hailey brings down the time to achieve compliance significantly by comparing the requirements with other standards and frameworks.

To know more about how the platform empowers organizations with the tools required for compliance and information security, take a demo of the platform.

Watch webinar


Dr. Heather Buker

Written by Dr. Heather Buker

Heather has been a technical SME in the cybersecurity field her entire career from developing cybersecurity software to consulting, service delivery, architecting, and product management across most industry verticals. An engineer by trade, Heather specializes in translating business needs and facilitating solutions to complex cyber and GRC use cases with technology. Heather has a Bachelors in Computer Engineering, Masters in Engineering Management, and a Doctorate in Information Technology with a specialization in information assurance and cybersecurity.