A Guide To New Tier System Of CMMC 2.0

After months of robust discussion and frequent updates, CMMC 2.0 is here. To the relief of many defense contractors; the new CMMC guidelines are streamlined and significantly easier to comply with. While the new guidelines are welcomed by many; it is still essential to stay up to date. To stay in satisfactory standing with the Department of Defense, you must be precise on your responsibilities in the area of cybersecurity.

The most critical updates on CMMC 2.0 come in the area of sensitive information. The criticism of its earlier iteration was that it made no distinctions between contractors and the nature of their businesses. All DIB firms were expected to adhere to the exact accreditation requirement; which is no longer the case. The certification requirements are now more flexible and will correspond with a contractor’s exposure to sensitive information. So, what is a cmmc compliance under this new framework, and how will it impact your firm?

A Guide to New Tier System of CMMC 2.0 2

A Three-Tiered System Of CMMC 2.0

The most crucial change to emerge under this new framework is the revision of the original 5 tiers down to 3. These tiers range from Foundational to Expert and correspond with the sort of information a firm handles. Under CMMC 2.0, High-Value Assets and Controlled Unclassified Information are the primary determinants of a firm’s obligation to submit to an audit.


The first tier of CMMC 2.0 is known as Foundational; and this is the level of compliance ascribed to firms that handle neither HVA nor CUI. These contractors will not be required to submit to a third-party audit. Instead, Tier 1 contractors will be allowed to complete an annual self-assessment according to NIST 800-171.

Also Check: How to Choose The Right HVAC System For Your House?


The Second Tier of CMMC 2.0 is called Advanced. This tier will apply to any contractor that handles Controlled Unclassified Information, but not High-Value Assets. If you are a contractor that takes CUI, you will generally be able to complete a yearly self-assessment. However, if your CUI is deemed of particular interest to National Security; you will be subjected to a third-party audit.

Also Check: 5 Major Benefits Of A Home Intercom System


The top tier under CMMC 2.0 is called Expert. This is reserved for firms that handle High-Value Assets. Since they carry the highest security liability; Expert contractors will be required to submit to an audit of their cybersecurity networks. While information is still emerging; it is widely understood that a third-party accreditation service will not perform these audits. Instead, an internal organization will complete the assessment of any Expert cybersecurity networks.

For DoD contractors, assessing your relationship with HVA and CUI is a critical first step towards compliance with CMMC. The next step is evaluating your firm’s compliance with the standards outlined in NIST 800-171. Once your firm has completed these steps; it is recommended to consult with an experienced compliance manager. A management service can verify the integrity of your systems without the risk of penalty. Should there be room for improvement, they can work with you to make the necessary changes.

Also Check: Difference Between System Software and Application Software

Image by Pete Linforth from Pixabay