Home » Services » Compliance » CMMC 2.0

CMMC 2.0

Ensuring security throughout the Defense Industrial Base

CMMC 2.0

Who needs and and why?

What is CMMC 2.0 and how does it differ from 1.0

The DoD introduced its CMMC initiative in mid-2019 and released CMMC 1.0 in early 2020. The initial program called for external audits of each and every one of the hundreds of thousands of companies doing work for the DoD —all within five years

Congressional hearings followed, and in November 2021 DoD released its much-streamlined CMMC 2.0 model. The new program focuses on reducing costs for SMBs and aligning cybersecurity requirements with other federal requirements. The DoD reshaped CMMC to follow a security-first approach that would be accessible even to smaller companies.


Since the release of 1.0, CMMC has undergone significant revisions. Today CMMC 1.0 has been updated to CMMC 2.0. While the DoD could expedite the model’s role out, CMMC 2.0 is expected to go into effect in May 2023 and be in contracts by July 2023. That means you have a short time to get your house in order, so that you can remain competitive in the DIB. This blog to help you get started. Below is an overview of CMMC 2.0, its practices and levels, and what you need to know to get started with your compliance journey.



CMMC 2.0 differs from 1.0 in the following key ways:

  • It trims the number of CMMC levels from five to three. The new CMMC 2.0 levels are: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
  • CMMC 2.0 dropped 20 security requirements for the new CMMC Level 2. It now dovetails completely with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share CUI.
  • Whereas POAMs were not allowed in 1.0, CMMC 2.0 will allow for limited use of Plans of Actions and Milestones (POAMs). POAMs can only be used for 1 point controls, not the more complex 3 or 5 point controls.
  • Waivers for certification will be permitted in very limited circumstances.

How we achieve and maintain CMMC 2.0 compliance

From small shops to large enterprises we can help properly scope and execute your CMMC 2.0 compliance program. 

CMMC Level 1

- 17 practices
- Annual self-assessment

CMMC Level 2

- 110 practices aligned with NIST SP 800-171
- Triannual third-party assessments for critical national security data
- Annual self-assessment for select programs

CMMC Level 3

- 110 + practices based on NIST SP 800-172
- Triannual government-led assessments

CMMC Cost and Schedule

CMMC 2.0 compliance

The specific maturity level that a contract requires is one of the biggest cost factors, but a contractor’s existing security posture will also affect the total cost of obtaining CMMC success

startup, start-up, people-593343.jpg

Level 1

avg.  $3,000 – $6,000

1 – 3 months

engineer, engineering, electrical engineer-4941336.jpg

Level 2

avg. $25,000 – $35,000

2 – 4 months


entrepreneur, startup, start-up-593378.jpg

Level 3

avg. $55,000 – $75,000

3 – 6 months

Suitable Subtitle

Attractive Call to Action Text