CMMC 2.0 vs CMMC 1.0: What Changed and What it Means for Small Contractors

If you’ve been trying to research CMMC compliance and found the information all over the place, there’s a simple reason: a lot of what’s out there is outdated. The original framework that launched around 2020 looked pretty different from what the DoD is enforcing today. The certification levels changed. The assessment process changed. Even the name of the overall model changed, sort of.

This article is specifically for small contractors and subcontractors who keep hitting conflicting information and want a straight answer on what the current rules actually require.

The original CMMC had five levels. The current one has three.

That’s the single biggest structural change, and it causes most of the confusion.

CMMC 1.0, released in January 2020, organized contractors into five maturity levels based on their cybersecurity practices. Level 1 covered basic hygiene. Level 3 was where most defense contractors landed. Levels 4 and 5 existed for organizations with the most sensitive programs. The model also embedded “maturity processes” at each level, meaning you weren’t just implementing controls, you were demonstrating that your organization had repeatable, documented processes around those controls.

CMMC 2.0, finalized in late 2021 and now actively rolling into DoD contracts, collapsed that down to three levels:

• Level 1: 17 basic practices, annual self-assessment, covers Federal Contract Information (FCI)
• Level 2: 110 practices aligned to NIST SP 800-171, covers Controlled Unclassified Information (CUI), third-party assessment required for most contractors
• Level 3: Government-led assessment, reserved for the highest-sensitivity programs

The maturity process requirements are gone entirely. No more proving that your security practices are “institutionalized.” The focus is now on whether the technical and policy controls are actually in place, not whether you’ve documented how you arrived at them.

For most small contractors, this is a meaningful simplification. If you only handle FCI and not CUI, you’re at Level 1. Annual self-assessment. No third-party auditor required.

The “self-attestation” shift matters a lot for Level 1 contractors

Under CMMC 1.0, third-party assessment was eventually going to be required for all levels, including Level 1. That changed.

CMMC 2.0 officially allows Level 1 organizations to self-assess. You work through the 17 practices, document your implementation in a System Security Plan, and submit your score to the Supplier Performance Risk System (SPRS). A company officer attests to the accuracy of that submission under penalty of law. No C3PAO (CMMC Third Party Assessment Organization) required.

This is a real practical difference. Third-party assessments run anywhere from $15,000 to $50,000 or more depending on company size and complexity. Self-assessment doesn’t eliminate the cost of getting compliant, but it removes the assessment cost entirely for Level 1 organizations.

The flip side: self-attestation carries legal weight. Submitting a score you know isn’t accurate can expose your company to False Claims Act liability. The DoD is not treating this as a paperwork exercise.

Level 2 is where the biggest changes hit mid-size contractors

If your contracts involve CUI, you need Level 2. And Level 2 under CMMC 2.0 maps directly to NIST SP 800-171, which has 110 security requirements across 14 families.

Under the original framework, Level 3 covered NIST 800-171 requirements. The restructuring essentially promoted that body of work into the “middle tier” and eliminated what were previously Levels 4 and 5 as separate tiers (those requirements still exist, but they fold into Level 3 under the new model).

The practical impact for contractors currently working toward compliance: if you were aiming at CMMC 1.0 Level 3, your target is now CMMC 2.0 Level 2, and the requirements are broadly the same. The controls didn’t change dramatically. The assessment pathway did.

Most Level 2 contractors require a third-party assessment by an authorized C3PAO every three years. There’s a limited exception for non-prioritized acquisitions where self-assessment is allowed, but the DoD controls which contracts fall into that category. You can’t opt yourself into it.

What stayed the same

The core security practices for basic compliance haven’t changed much. The 17 practices that define Level 1 are drawn from FAR clause 52.204-21, which has existed since 2016. If you were already trying to meet those basic requirements under the old framework, you’re working toward the same controls today.

NIST 800-171 still forms the backbone of Level 2. Defense contractors who invested in getting to Level 3 under the old model aren’t starting over. They’re largely in the right place, though documentation and evidence artifacts will need to be updated to align with current assessment guidance.

The obligation to flow down requirements to subcontractors hasn’t changed either. If you’re a prime working on a contract that requires CMMC, you’re responsible for ensuring that your subs handling the same information also meet the applicable level.

What this actually means for a small contractor today

If your company is under 50 people and handles DoD contracts, here’s what’s actually relevant to you.

First, figure out what type of information you handle. If it’s purchase orders, delivery schedules, invoicing data, and general contract correspondence, you’re almost certainly dealing with FCI only. That means Level 1, self-assessment, and a manageable compliance path.

If you receive technical drawings, specifications, export-controlled data, or any information your customer has marked or handled as CUI, you’re probably looking at Level 2. That’s a more significant project and, for most contracts, requires a third-party assessment.

Second, stop assuming the old model applies. If the content you’ve been reading references five levels or talks about maturity processes, it predates the current framework. The DoD started writing CMMC 2.0 requirements into solicitations in 2023, and the rollout is accelerating. Contracts issued in 2025 and 2026 are including CMMC requirements as conditions of award, not suggestions.

Third, if you’re a subcontractor and haven’t heard anything from your prime about this yet, that doesn’t mean you’re off the hook. It means your prime may not have gotten around to asking yet. Most primes are going to start flowing down compliance requirements more aggressively as their own renewal cycles come up.

The timeline question

CMMC 2.0 became a final rule in December 2024 after a long rulemaking process. DoD contract solicitations have been including CMMC requirements for certain acquisitions since 2023, and the phased rollout continues through 2026.

The DoD’s stated goal is that by the end of the current contract cycle, a substantial portion of defense contracts will require CMMC compliance as a condition of award. Existing contracts may not require it at renewal depending on the acquisition vehicle, but new solicitations are increasingly including it.

Waiting to see if CMMC “really happens” is a reasonable instinct, but it’s becoming a less defensible position with each contract cycle. Contractors who started preparing 12 to 18 months ago are in a much better position when a solicitation drops with a 90-day onboarding requirement.

A quick comparison

	CMMC 1.0	CMMC 2.0
Number of levels	5	3
Level 1 practices	17	17
Level 1 assessment	Third-party (planned)	Self-assessment
CUI protection tier	Level 3	Level 2
Maturity processes required	Yes	No
Alignment to NIST 800-171	Level 3	Level 2
Final rule status	Never finalized	Final rule December 2024
SPRS submission required	Preceded framework	Yes, for Level 1 self-assessment

 

Questions that come up a lot

Do I need a C3PAO if I only have FCI?

No. Level 1 allows self-assessment. You document your practices, submit your score to SPRS, and have a company official sign the attestation. A consultant can help you get there, but no third-party assessment organization is required.

We were working toward CMMC 1.0 Level 3. Are we starting over?

Probably not. Your technical work toward NIST 800-171 compliance transfers directly to CMMC 2.0 Level 2. What may need updating is your documentation and how you’ve mapped controls to current assessment objectives.

My prime hasn’t mentioned CMMC. Do I need to care?

Yes. Your prime’s requirement to flow down CMMC obligations exists regardless of whether they’ve gotten around to asking you about it. If you’re handling FCI or CUI on their behalf, you’re in scope.

The five-level model is what’s listed in my existing contract. Which applies?

If your contract was written before CMMC 2.0 was finalized, it may reference the old framework. In practice, the DoD guidance is that CMMC 2.0 supersedes the old model, but you should review your specific contract language and, if needed, ask your contracting officer for clarification.

Where to go from here

Sorting out which level applies to you, what controls you’re missing, and how to get your SPRS submission accurate is the actual work. The framework overview is useful context, but it doesn’t get you compliant.

Pacific Cloud Cyber works with small and mid-sized contractors who need to get CMMC Level 1 and Level 2 compliance done without a dedicated IT security team. We’ve done this for construction firms, manufacturers, logistics companies, and professional services firms, and we know where the actual gaps tend to be versus where people spend time worrying unnecessarily.

If you’re trying to figure out where your company actually stands, a readiness assessment is the fastest way to get a real answer. We’ll look at your current tools, practices, and documentation against the specific requirements that apply to your contracts and give you a clear picture of what needs to change and what doesn’t. Contact Pacific Cloud Cyber to schedule a free consultation.