Practice vs. Maturity in CMMC 2.0 Framework

Aaron McCray, Ignyte’s Chief Operating Officer, is giving a brief overview of the changes to CMMC 2.0,  and more specifically its Practice levels vs Maturity levels in the video below.

Aaron is a commercial risk management leader by trade and a Commander in the U.S. Navy Reserves. He joined the Ignyte Assurance Platform team to help us raise the awareness and readiness of the emerging Cybersecurity Maturity Model Certification, as well as NIST 800-171, NIST 800-72, NIST 800-53, and soon FedRAMP, for organizations involved in dealing with sensitive information.

Practice vs. Maturity

When CMMC was first introduced by the DoD, its purpose was to “normalize and standardized cybersecurity preparedness across the federal government’s Defense Industrial Base or DIB.” 

Essentially, they recognized a weakness in cybersecurity hygiene practices in their supply chain, and so CMMC became the standard the DIB would be “graded” by to ensure the protection of sensitive or Controlled Unclassified Information (CUI). 

To achieve a given CMMC level, an organization must have demonstrated both the technical practices and maturity processes defined at that level.

Now, with the introduction of CMMC 2.0, the purpose has evolved to “building upon the initial CMMC framework to dynamically enhance the DIB’s cybersecurity practices against evolving threats”. 

Ironically, it appears that the maturity processes have gone away remains to be seen how or if the DoD addresses “maturity” in the rulemaking process for 2.0. So, do we drop one of the “M’s” in CMMC? Seems silly, but I guess time will tell.


What is maturity anyway?

The “maturity portion of CMMC” came from the Capability Maturity Model Integration or CMMI process. Essentially, it is a behavioral model that helps organizations gain efficiencies in process improvement and encourage productive, effective behaviors that decrease risks in systems and processes.

CMMI was initially developed by the Software Engineering Institute at Carnegie Mellon University as a process improvement tool for projects or organizations. The DoD and U.S. Government helped develop CMMI, which became a common requirement for DoD and U.S. Government software development contracts. 

You can start to see the correlation of CMMI and CMMC as it relates to awarding contracts for the DIB and ensuring their cybersecurity processes continuously improve.


What are the CMMC 2.0 Levels?

So, now that we understand the difference between practice levels and maturity levels, how does it apply to CMMC 2.0? What are the new CMMC levels organizations need to focus on?

In the old CMMC Model 1.0 – Organizations had to achieve a CMMC maturity level based on the sensitivity of the DoD information it handled, processed, stored, etc. While CMMC 1.0 was based on 5 levels, CMMC 2.0 has reduced those levels to three:

  • Level 1 – Foundational
  • Level 2 – Advanced
  • Level 3 – Expert

As with CMMC 1.0, the three levels are based on specified practices with increasing sophistication, each level including the practices from the previous level:

  • Level 1 – 17 practices (aligned with FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems)
  • Level 2 – 110 practices (aligned with NIST SP 800-171 + Level 1 requirements)
  • Level 3 – 110+ practices (aligned with NIST SP 800-172 + Level 2 requirements)


Tiered Level Assessments

And while CMMC 1.0 required third-party assessments for all levels, CMMC 2.0 has reduced the requirement for third-party assessments, leveraging self-assessments in certain circumstances:

  • Level 1 – Annual self-assessments will be permitted with company self-certification of compliance. It is my assumption that senior executives will have to sign off on these self-attestations.
  • Level 2 – is bifurcated: meaning that if your organization is deemed to handle “critical national security information” then a Triennial third-party assessment by a CMMC Third-Party Assessor Organizations (C3PAO) will be required. For all other organizations at this level, they can perform self-assessments, just like organizations at Level 1.
  • Level 3 – A government-level assessment will be required, likely by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).


Additionally, it is important to note that under certain circumstances, which have yet to be defined, the DoD intends to allow contractors to continue to utilize POA&Ms to achieve certification compliance as a prerequisite to receiving a contract award, provided they contain specific deadlines for completion of remaining items (e.g., 180 days or less). 

The DoD has also included flexibility in requirements, intending to implement a process to waive CMMC requirements under certain limited circumstances. The specifics of those requirements will be implemented as part of the rulemaking process.


Let’s summarize

To recap, maturity processes appear to have been removed from CMMC 2.0. Practice levels have been reduced to 3, with levels 2 and 3 based upon NIST SP’s 800-171 & 172. Depending on the level you are certifying at will dictate the type of assessment you will need to pursue – either a self-assessment or an assessment completed by a C3PAO or the Defense Industrial Base Cybersecurity Assessment Center, also known as DIBCAC.

If you have comments or questions about the new levels in CMMC 2.0, please reach out to us at


Important Reference Links:

Ignyte Platform becomes a third-party assessment organization (3PAO), now listed on the FedRAMP Marketplace - Read More