Proudly serving Virginia, Maryland and DC // Call us today! 703.396.6120
V2 SystemsV2 Systems
CMMC 2.0 is here

by Erik Briceno

Last year, the U.S. Department of Defense (DoD) completed its internal review of the Cybersecurity Maturity Model Certification (CMMC). Several significant changes have been made, and all DoD contractors need to be aware of them.

What’s the difference between CMMC and CMMC “2.0”? Let’s take a look.

What is CMMC 2.0?

The DoD’s Cybersecurity Maturity Model Certification 2.0 (CMMC) is the new standard for DoD contracts that takes the place of the section of NIST 800-171 dealing with compliance for Controlled Unclassified Information (CUI). CMMC 2.0 has 3 levels. Level 1 has 17 practices, allows self-assessments, and is primarily targeted at protecting Federal Contract Information (FCI). Level 2 has 110 practices, may or may not require a third-party assessment, and is targeted at protecting CUI. Level 3 is based on NIST 800-172 and is only required for the highest priority, most critical defense programs.

As of right now, CMMC 2.0 mirrors NIST 800-171’s 110 security practices for most government contractors working with controlled unclassified information (CUI). The DoD specifies the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

What has changed between CMMC and CMMC 2.0?

The most notable change is that the original five levels of CMMC have been condensed into three. Here is the complete breakdown of all key differences between CMMC and CMMC 2.0:

  • CMMC now has three levels (instead of five).
  • Annual self-assessments are allowed for Level 1 and a portion of Level 2.
  • An annual affirmation by company leadership is required for self-assessments.
  • CMMC 2.0 Level 1 has 17 practices.
  • Most government contractors working with CUI are at the new CMMC 2.0 Level 2.
  • CMMC 2.0 Level 2 may require a third-party assessment.
  • CMMC 2.0 Level 2 has 110 practices and mirrors NIST 800-171.
  • Cybersecurity maturity processes are no longer required.
  • CMMC 2.0 Level 3 is based on a subset of NIST 800-172.
  • Level 3 is only required for the highest priority, most critical defense programs and will require government-led assessments.
  • POAMs are allowed but are strictly time constrained and can only be used for a subset of practices.
  • CMMC 2.0 has now officially been implemented, but there may be revisions in the very near future.

CMMC 2.0 is hereWhile the DoD is not asking small to medium-sized businesses to implement Fort Knox’s level of security, they are requiring adequate security and good cyber hygiene. That’s what the Cybersecurity Maturity Model Certification is all about. And that’s exactly why you should turn to the experts for help in adopting it. That’s where we come in.


Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!

About ebriceno
Erik Briceño is the owner of V2 Systems, Inc., one of Northern Virginia’s leading Information Technology Managed Service Providers. He is an inspiring leader for its employees and instrumental business partner for its customers. He is passionate about V2’s purpose, dedicated to exceeding expectations and a consummate professional not afraid of jumping in and getting his hands dirty. Prior to joining V2 Systems in 2002, Erik was a co-founder and COO of, a leading provider of online resources servicing over 5,000 independent musical artists. At, Erik spearheaded all aspects of corporate development, funding, strategic vision, and business development for the firm. From 1997 to 1999 Erik held the position of Acoustic Systems Engineer for Electric Boat Corporation, a leading defense contractor. In this role, Erik was responsible for the acoustic fidelity of two noise critical systems and components in the US Navy’s nuclear submarine systems. Erik holds a B.S. in Mechanical Engineering from Vanderbilt University and a Masters of Business Administration from George Mason University. When not working, you will find Erik a dedicated family man, raising two young children with his lovely wife Karen. Together, they enjoy building legos, playing baseball, skiing, riding horses, swimming, traveling, and fixing up old Mopars.
CMMC 2.0 is here
CMMC 2.0 is here