November 12, 2021

Last Updated on January 18, 2024

The shift from CMMC 1.0 to CMMC 2.0 based on the US Department of Defense (DoD)’s review of the program has garnered a lot of attention in recent days, much of it focused on what is different. Many defense industrial base (DIB) orgs are probably celebrating that “we no longer need an audit” or “we have fewer controls to worry about.”

But the core of the CMMC program remains largely unchanged, and what’s the same is at least as important as what’s different for most DIB orgs. What does CMMC 2.0 really mean for the DIB? And what requirements does it presage for government contractors outside the defense sector?

To quickly share everything you most need to know right now about CMMC 2.0, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special episode of The Virtual CISO Podcast. Joining John for this show are two of Pivot Point’s most senior GRC consultants: George Perezdiaz, CMMC/NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor.

The New “CMMC Level 1”

With CMMC 2.0, the new CMMC Level 1 still focuses on the 17 “basic cyber hygiene” requirements for handling Federal Contract Information (FCI) that CMMC 1.0 defined for Level 1, based on NIST 800-171 and FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

The big news here is that there is no longer a third-party audit/certification requirement for firms charged with CMMC Level 1 compliance. In its place is an annual self-attestation in the form of an affirmation letter signed by a senior executive.

What do the changes mean for my business?


The bottom line for DIB orgs at CMMC Level 1 is:

  • You’ll save considerable money by foregoing an initial certification audit plus recertification audits every third year.
  • The cybersecurity controls that you need to implement haven’t changed at all. Moreover, these minimal requirements are universally regarded as essential for any internet-connected business in any industry to reduce egregious cyber risk.
  • The requirement for a senior official of your company to take personal responsibility for the veracity of your firm’s self-attestation of its cybersecurity posture “a la Sarbanes-Oxley,” as John puts it, is likely to generate a higher degree of “investment”/scrutiny on cybersecurity and ensuring that you’re representing your controls honestly.

Just to make sure that senior business leaders in the DIB understand what they’re putting on the line when they attest to their organization’s security posture, the US Department of Justice (DoJ)’s recent Civil Cyber-Fraud Initiative emphasizes that the DoJ will pursue False Claims Act cases against individuals as well as corporations.

What’s Next?

To listen to the full episode on CMMC 2.0 with John, George and Caleb, click here: EP#71 – Caleb Leidy & George Perezdiaz – CMMC 2.0 is Here! Find Out What It Really Means for DIB and Non-DIB USG Contractors – Pivot Point Security

For more expert insight on what just happened with CMMC and what DIB orgs now need to focus on, we recommend this recent post:

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.