CMMC 2.0 vs CMMC 1.0: What Changed and What It Means for Your Defense Contract

If you are a defense contractor, subcontractor, or supplier in the Defense Industrial Base, the shift from CMMC 1.0 to CMMC 2.0 is not a technicality. It is a fundamental restructuring of how the Department of Defense certifies that contractors are protecting Controlled Unclassified Information (CUI). The stakes are real: non-compliance can disqualify you from DoD contracts entirely.

This post breaks down every meaningful difference between the two frameworks — levels, practices, assessment requirements, and timeline — and tells you exactly what those differences mean for your business.

Background: Why CMMC 1.0 Was Replaced

CMMC 1.0 was introduced in January 2020 with good intentions: create a unified standard for cybersecurity across the Defense Industrial Base, moving beyond the self-attestation model where contractors could declare NIST 800-171 compliance without any independent verification. The problem was execution. CMMC 1.0 created five maturity levels, introduced 171 practices unique to the CMMC framework (separate from NIST 800-171 controls), and required all contractors to be assessed by accredited third-party assessment organizations before they could even bid on covered contracts.

The defense contractor community pushed back hard. The five-level model was complex. The CMMC-unique practices added compliance burden without clear security benefit. The requirement for third-party assessment on even low-sensitivity contracts imposed costs that smaller companies could not absorb. And the ecosystem of accredited assessors — C3PAOs — was nowhere near large enough to handle the volume of required assessments.

In November 2021, the DoD announced CMMC 2.0, a streamlined version that addressed the most significant criticisms while preserving the core goal: independent verification of cybersecurity practices for contractors who handle CUI.

The Level Structure: Five Levels vs. Three

The most visible change in CMMC 2.0 is the reduction from five maturity levels to three. Here is what that means in practice.

CMMC 1.0: Five Levels

• •Level 1 (Basic Cyber Hygiene): 17 practices from FAR clause 52.204-21
• •Level 2 (Intermediate Cyber Hygiene): 72 practices including all Level 1 practices plus additional ones
• •Level 3 (Good Cyber Hygiene): 130 practices, fully aligned with NIST SP 800-171
• •Level 4 (Proactive): 156 practices, adding advanced and proactive capabilities
• •Level 5 (Advanced/Progressive): 171 practices, the most demanding tier

CMMC 2.0: Three Levels

• •Level 1 (Foundational): 17 practices aligned with FAR 52.204-21 — for contractors handling Federal Contract Information (FCI) but not CUI
• •Level 2 (Advanced): 110 practices fully aligned with NIST SP 800-171 Rev 2 — for contractors handling CUI
• •Level 3 (Expert): 110+ practices from NIST SP 800-171 plus a subset of NIST SP 800-172 — for contractors on highest-priority DoD programs

The Practices: CMMC-Unique Requirements Are Gone

This is the change that had the most direct operational impact for most contractors. CMMC 1.0 introduced 171 practices — but only 110 of them came from NIST 800-171. The remaining 61 were CMMC-unique practices that existed nowhere else in the federal regulatory landscape.

CMMC 2.0 eliminated all CMMC-unique practices. Every practice in CMMC 2.0 maps directly to an existing NIST standard: Level 1 maps to FAR 52.204-21, Level 2 maps to NIST SP 800-171, and Level 3 maps to NIST SP 800-172.

For contractors who were already working toward NIST 800-171 compliance — which has been required in DoD contracts since 2017 under DFARS 252.204-7012 — this is significant. Your existing NIST 800-171 work directly counts toward CMMC 2.0 Level 2. You are not starting over.

Assessment Requirements: Who Has to Be Assessed by Whom

This is where the practical differences between CMMC 1.0 and 2.0 are most significant for contractors.

CMMC 1.0 Assessment Requirements

Under CMMC 1.0, all contractors at all five levels required assessment by an accredited C3PAO before they could be awarded covered contracts. Even Level 1 contractors handling only basic Federal Contract Information needed a third-party assessment. This was a primary driver of the framework's impracticality: the C3PAO ecosystem simply could not support the volume of assessments required.

CMMC 2.0 Assessment Requirements

• •Level 1: Annual self-assessment with senior official attestation — no C3PAO required
• •Level 2 (most contractors): Third-party C3PAO assessment required every three years, with annual affirmations between assessments
• •Level 2 (select programs): Self-assessment permitted for certain lower-priority programs — DoD determines which contracts qualify
• •Level 3: Government-led assessment by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

The practical effect: the vast majority of contractors handling CUI will require a C3PAO assessment for Level 2. But Level 1 contractors — those handling only FCI without CUI — can self-attest annually, dramatically reducing their compliance burden compared to CMMC 1.0.

Plans of Action and Milestones (POA&Ms): A Major Change

One of the most contractor-friendly changes in CMMC 2.0 is the allowance for Plans of Action and Milestones. Under CMMC 1.0, a contractor had to demonstrate full compliance with all required practices before receiving a passing assessment. There was no grace period, no partial credit.

CMMC 2.0 allows contractors to receive a conditional certification with open POA&M items — meaning you can be certified even if some practices are not yet fully implemented, as long as you have a documented plan to close the gaps within a defined timeframe (typically 180 days for most items).

There are important caveats. Certain high-priority practices — specifically those related to multi-factor authentication and encryption — cannot have open POA&M items at assessment time. And the conditional certification approach requires clear documentation and a credible remediation timeline that the C3PAO reviews.

The Maturity Processes: Gone in 2.0

CMMC 1.0 assessed not just practices, but maturity processes — the institutional processes that embed security practices across the organization. Maturity processes were the mechanism by which contractors moved from Level 3 to Levels 4 and 5.

CMMC 2.0 eliminates the maturity process assessment entirely. The framework now focuses exclusively on whether specific security practices are implemented and operating effectively. This simplifies the assessment but also removes one of the ways sophisticated contractors could differentiate themselves through institutional security maturity.

Timeline and Rollout: What Is Actually Required Now

CMMC 2.0 became a final rule on December 16, 2024, when it was published in the Federal Register. The DoD began phasing CMMC requirements into contracts starting in 2025. Here is the realistic timeline:

• •Phase 1 (2025): CMMC Level 1 self-assessment or Level 2 self-assessment requirements begin appearing in eligible DoD contracts
• •Phase 2 (2026): Level 2 C3PAO assessment requirements begin appearing in contracts for programs handling CUI
• •Phase 3 (2027): Full implementation — all covered acquisitions include appropriate CMMC requirements
• •Level 3: Implementation timeline for highest-priority programs is coordinated with the DoD program offices

Critically, existing contracts are not automatically affected by CMMC requirements. CMMC requirements are introduced at contract renewal or when new awards are made. However, contractors should not wait for contract renewal to begin preparation — the lead time required to achieve Level 2 certification (typically 90–180 days from gap assessment to C3PAO assessment) means that contractors who start late risk being unable to compete when their contract comes up for renewal.

The SPRS Score: Still Required and Now More Important

The Supplier Performance Risk System (SPRS) score is not a CMMC invention — it has been required under DFARS 252.204-7019 since 2020. But CMMC 2.0 places increased emphasis on SPRS scores as part of the compliance ecosystem.

Contractors are required to upload their NIST SP 800-171 self-assessment score to SPRS, where contracting officers can review it. The maximum score is 110 (one point for each fully implemented practice). Scores are weighted by practice — some practices are worth more than others based on their security impact. A score below 110 indicates unimplemented practices, and contracting officers can factor SPRS scores into award decisions.

• •SPRS scores must be updated at minimum annually
• •SPRS scores are visible to DoD contracting officers
• •A very low SPRS score can raise red flags even for contracts without explicit CMMC requirements
• •For Level 2 self-assessment, the SPRS score upload serves as part of the attestation
• •After a C3PAO assessment, the assessment results are uploaded to the CMMC Enterprise Mission Assurance Support Service (eMASS) database, not SPRS

What CMMC 2.0 Means for Subcontractors

CMMC requirements flow down through the supply chain. If your prime contractor is subject to CMMC Level 2, and your subcontract involves access to CUI, you also need Level 2 certification. This is one of the most commonly misunderstood aspects of CMMC.

Prime contractors are responsible for ensuring their subcontractors meet applicable CMMC requirements. In practice, this means primes are increasingly including CMMC compliance as a subcontractor qualification requirement — and they are beginning to ask for evidence of C3PAO assessments or at minimum SPRS scores before awarding subcontracts.

For subcontractors who handle only information that does not include CUI — for example, a subcontractor providing facilities management services who never has access to technical data — CMMC requirements may not apply. But this determination needs to be documented and defensible.

CMMC 1.0 vs. CMMC 2.0: Side-by-Side

• •Levels: 5 in CMMC 1.0 → 3 in CMMC 2.0
• •Total practices: 171 in CMMC 1.0 → 110 at Level 2, 110+ at Level 3 in CMMC 2.0
• •CMMC-unique practices: 61 unique practices → eliminated entirely in CMMC 2.0
• •Maturity processes: Required in Levels 4–5 → eliminated in CMMC 2.0
• •Assessment frequency: One-time for initial award → triennial for Level 2 C3PAO; annual self-assessment for Level 1
• •POA&M allowance: Not permitted in 1.0 → permitted in CMMC 2.0 with conditions
• •Level 1 assessment: C3PAO required in 1.0 → self-attestation permitted in CMMC 2.0
• •Framework alignment: Partially NIST 800-171 → fully NIST 800-171 at Level 2 in CMMC 2.0

What You Should Do Now

The phased rollout of CMMC 2.0 requirements means that most contractors have time to prepare — but not unlimited time. The contractors who will struggle are the ones who treat CMMC as something to deal with when the contract renewal arrives. The C3PAO assessment process has lead time: gap assessment, remediation, evidence collection, and the assessment itself typically take four to nine months from start to finish.

1. 1.Determine your required level. Review your current contracts and anticipated contracts. If you handle CUI, you almost certainly need Level 2.
2. 2.Assess your current NIST 800-171 implementation. Run a gap assessment against all 110 practices. Calculate your current SPRS score honestly.
3. 3.Build a System Security Plan (SSP). The SSP is the foundation document for both SPRS scoring and C3PAO assessment. If you do not have one, start now.
4. 4.Close your gaps before the assessment. Identify your highest-priority gaps (especially MFA and encryption, which cannot be POA&M items), and remediate them before scheduling your C3PAO assessment.
5. 5.Select a C3PAO. The list of accredited C3PAOs is maintained by the Cyber AB marketplace. Start conversations early — assessment slots book up.