Preparing for Certification with CMMC 2.0

In November 2021, The Department of Defense (DoD) affirmed plans to move forward with Cybersecurity Maturity Model Certification (CMMC) in 2022 to protect Controlled Unclassified Information (CUI), introducing sweeping changes to how contractors comply with the requirements. Final rulemaking is underway and implementation guidance is released regularly to clarify expectations for contractors and CMMC assessors.

It is important to note that, while implementation of CMMC and rollout timeline have changed, CMMC will still be mandatory across the Defense Industrial Base (DIB) and will appear in all contracts over the next several years.

What’s New in CMMC 2.0?

In an effort to smooth the rollout of CMMC and respond to concerns from contractors, DoD reviewed the CMMC initiative and made significant changes to the design of the framework, how contractors meet CMMC requirements and the rollout timeline of the certification process.

  • Reduction of Levels from 5 to 3. Level 1 remains the minimal set of requirements, while Level 2 aligns explicitly with the current NIST 800-171 set of controls for protecting Controlled Unclassified Information. Level 3 includes all Level 2 requirements, plus more stringent practices for more sensitive DoD programs.
  • NIST 800-171 Returns. The CMMC control framework is gone and the NIST 800-171 requirements which are currently required by DFARS rule will be the foundation for the framework’s middle tier.
  • New Approach of Self-Attestation. CMMC was expected to eliminate the self-attestation approach to CUI protection, but CMMC 2.0 will allow some contractors to continue to self-assess and self-attest to compliance.

A new DFARS rule-making process has begun to eventually incorporate CMMC 2.0 requirements into all DoD contracts. DoD has given an early estimate of between 9 to 24 months before CMMC certification – either by 3rd party assessment or by self-assessment – is mandatory.

3 levels of CMMC Compliance


Firm News
DHG Becomes Sixth Authorized CMMC 3rd Party Assessor Organization (C3PAO)
Firm News
DHG Achieves CMMC Registered Provider Organization (RPO) Accreditation
Department of Defense Contractors to Begin Preparing for New Cybersecurity Certification Requirement
What Do Contractors Need to Do?

Continue to Build Your Cybersecurity Program Aligned with NIST 800-171:  NIST 800-171 is the minimum set of practices for securing CUI, and will be the standard for both self-assessments and independent assessments at Level 2 of the framework. NIST 800-171 is also the current requirement via interim DFARS rule; thus, enhancing your cybersecurity program using this framework is a strong baseline for future compliance obligations.

Review DoD’s Resources for Contractors for Enhancing Cybersecurity Programs:  Dubbed Project Spectrum, DoD provides a collection of guidance for smaller contractors to assist with understanding cyber risk and taking action. The Project Spectrum site offers training videos, webinar events, and basic “cyber readiness checks” to help educate the DIB.

Consider Moving Forward with CMMC Certification Now: While the rulemaking process is finalized, DoD and the Accreditation Body are implementing an Interim Voluntary Program for contractors to obtain certification early. This can be a differentiator for contractors and will demonstrate commitment to the protection of CUI. Further, DoD is considering incentives for contractors who voluntarily achieve certification, regardless of contract requirements.


DHG’s Cybersecurity and Data Privacy team is experienced in assessing complex environments and providing holistic solutions to contractors protecting sensitive information. Our professionals provide detailed guidance to help contractors mitigate cybersecurity risk and achieve compliance objectives. DHG is an Authorized CMMC 3rd Party Assessor Organization (C3PAO) and Registered Provider Organization (RPO) with the CMMC Accreditation Body. As an Authorized C3PAO, DHG will perform CMMC certification assessments for contractors across the country.

We help contractors understand compliance requirements and prioritize resources to meet compliance objectives with the following assistance:

Cybersecurity Maturity Model Certification consultants badge
  • CMMC Level 1 and Level 2 Certification Assessments (C3PAO Services)
  • Readiness Assessments and Gap Analyses Against the CMMC Framework
  • System Security Plan (SSP) and POAM Development
  • NIST 800-171 and 800-172 Advisory
  • Cybersecurity Risk Assessments
  • Network Penetration Testing
  • Security Program Design, Advisory and Training
  • Fractional Chief Information Security Officer (vCISO) Services