By now, you have a grasp on just how seriously the Department of Defense takes NIST compliance. Looking out for your firm’s cybersecurity is among your top responsibilities. While cybersecurity operations are an essential part of your operating procedures, the rapid pace of change can be difficult to keep up with. The DoD continues to update its expectations on cybersecurity standards for the Defense Industrial Base. You need to be sure that your organization is prepared to pivot.


The latest development to the DoD‘s cybersecurity program is known as CMMC. The Cybersecurity Maturity Model Certification program has been the topic of discussion for quite some time and is poised to create a measure of accountability of DoD contractors. CMMC essentially fortifies the DFARS by creating an accreditation body to verify NIST compliance. This measure is designed to add an extra layer of protection beyond the usual self-assessments that contractors are expected to complete.

CMMC 2.0

Understandably, the implementation of an accreditation body was met with concern from many contractors. The original framework of CMMC made very few distinctions between contractors. It consisted of 5 maturity levels, and all contractors would be scored according to at least one of them. Many firms felt that this expectation was not equally distributed across the defense sector. In response the, Department of Defense motioned to revise the original CMMC framework in a way that accounted for the varying types of business within the DIB. These revisions could actually make things easier for your business or organization.

Revisions Under CMMC 2.0

Under CMMC 2.0, there are three critical things to understand. First, there are no longer 5 maturity levels. The number has been revised down to three, and they are dictated by your companies relationship with Controlled Unclassified Information and High-Value Assets. Second, the DoD has relaxed its expectations surrounding the third-party accreditation body. This will no longer be required across the DIB. Instead, your obligation to submit to an audit will be determined by the maturity level you are required to comply with. Finally, CMMC 2.0 will allow more flexibility when it comes to bidding for contracts. Under the initial plan, non-compliance with CMMC would have made your firm ineligible to bid for contracts. Under this new plan, firms will retain their ability to bid under the condition that they submitted a written plan to reach compliance for their systems.

CUI and HVA CMMC 2.0 improves upon the original guidelines by making clear distinctions between contractors. Under CMMC 2.0, there are essentially three types of contractors; firms that handle CUI, firms that handle CUI and HVA, and firms that handle neither. When it comes to your compliance with CMMC, determining which of these applies to you is your first move. Contractors with no CUI or HVA obligation will be allowed to complete a yearly self-assessment. Firms that exclusively handle CUI will be allowed to self-assess assuming their CUI is not considered Critical National Security Information. In that instance, the firm will be audited every three years. Finally, companies that handle HVA will likely submit to an assessment overseen by the DoD rather than a third-party accreditation service.