Cyber Threat Report

DoD Announces CMMC 2.0 Cybersecurity Plans, Here’s What To Expect

The Department of Defense (DoD) has suspended the original cybersecurity certification program pending major changes. On November 4, 2021, the DoD announced the completion of an internal review of its Cybersecurity Maturity Model Certification (CMMC) program and the release of Model 2.0.

The enhanced program maintains the original goal of safeguarding sensitive information, while the original concept of CMMC has been radically altered. The DoD will implement these changes through a forthcoming rulemaking process, which they anticipate taking around 9-24 months. The following are highlights of these anticipated enhancements:

  • Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements;
  • Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and
  • Increasing Department oversight of professional and ethical standards in the assessment ecosystem.


The newly released CMMC version 2.0 represents significant strategic directional changes and affects all parties involved with the process. While this announcement gives contractors more time to prepare for CMMC requirements, it’s an opportunity to focus on ensuring compliance with existing cybersecurity requirements; including DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting and DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.

It seems the DoD intends to make several more significant changes to the CMMC Model during this new rulemaking process. Most prominently, by boiling down the original 5 levels into a new 3 level tier. Here’s what we know so far:

Level 1 (Foundational)
This level will likely apply to companies that process, store, or handle Federal Contract Information. The DoD intends to allow companies to perform self-assessments. This level will require companies to comply with a limited subset of NIST SP 800-171 controls.

Level 2 (Advanced)
Previously seen as Level 3, this level will likely apply to companies that process, store, or transmit Controlled Unclassified Information (CUI). If the contract also involves information critical to national security, DoD will require the contractor to obtain a third-party assessment from an organization accredited by the CMMC Accreditation Body; otherwise, DoD will allow the company to perform a self-assessment. Level 2 will be equivalent to NIST SP 800-171.

Level 3 (Expert)
Originally Level 5, this level will be based on a subset of NIST 800-172 requirements and will likely require an assessment conducted by government officials. At this time, these assessment requirements are still in development.

In the meantime, we recommend DoD contractors take this time to reassess their plans for CMMC and focus on their existing data security requirements by speaking with us.


We are JANUS Associates. Founded in 1988, we are the longest operating security, privacy, and regulatory compliance consultancy in the nation.

For the past 32+ years, we have helped hundreds of government agencies, commercial entities, educational institutions, and not-for-profit organizations protect their infrastructures, data, clients, and employees. Our decade’s long experience has allowed us to achieve deep expertise in every sector and specialty that exists, including yours. We are friendly, nimble, and flexible, and we always focus on what's best for your business.

Contact Chris Kniffin, Corporate Director, to find out how a team of affordable professionals can help you secure your organization and meet your regulatory compliance goals.

New call-to-action
New call-to-action

Subscribe to Cyber Threat Report