Cybersecurity Maturity Model 2.0: New strategic implications from GRC to VRM

November 12, 2021

A green gradient background image.

The Cybersecurity Maturity Model Certification (CMMC) was published in January 2020 by the US Department of Defense. The model established a new method to evaluate vendor cybersecurity programs by measuring both technical controls in place and ongoing processes to review. The initial CMMC 1.0 reflects a collaborative approach by sampling practices across leading IT risk management frameworks, cloud security and others to deliver a comprehensive model based on the latest local cyber-community insights with a global perspective. Recently, the US Department of Defense released a new CMMC proposal based on findings from an internal program assessment. The proposal deemed CMMC 2.0, announces a new strategic direction for the CMMC which aligns the CMMC to more closely reflect NIST SP 800-171 and NISP SP 800-172. Let’s take a look at what’s new: 

What’s new in CMMC 2.0? 

According to the US Department of Defense’s announcement, the updates to the CMMC strive to simultaneously simplify and strengthen the security of the defense industrial base. The announcement sites new goals as: 

  • Empowering a more collaborative nature between industries.  
  • Integration with acquisition programs to ensure that contractors meet requirements. 
  • Threat-informed defense industrial base (DIB) enhancements. 
  • Simplifying and clarifying suggestions around regulation, policies, and contracts. 
  • Additional advanced focus on third-party and cybersecurity requirements. 
  • Pivoting to a standard that threads trust as a unique fabric of the CMMC.  

Overall, the new approach maintains the goals of the original model, while providing further clarity and emphasis on the criticality of implementing strong cybersecurity practices as the threat landscape continues to evolve.  

A model of simplification 

Specifically, CMMC 2.0 scales the model down from a 5-tiered model to a 3-tiered model. See the image below for more detail.  

Infographic of the CMMC model 1.0 alongside the CMMC model 2.0

Image of CMMC 2 leveling structure taken directly from the US Secretary of Defense Acquisition and Sustainment Office.

Refined practices and processes 

One of the unique elements of the CMMC was the weighted approach to measuring both the technical controls in place and process maturity within each level. With the CMMC 2.0 all maturity processes have been eliminated from each of the three new category levels. In addition, the unique CMMC practices outside of the NIST family of frameworks have been scaled down, to focus the practices based on NIST SP 800-171 overall and NIST SP 800-172 at the Expert Level 3. 

Making assessments more accessible 

Other notable adjustments include that the requirement to be evaluated and certified by an approved third-party auditor has been dropped from the first level – and in some circumstances, the second and third – allowing companies the freedom to self-assess. The introduction of self-assessments significantly reduces any upfront cost that an organization would incur to certify against the CMMC, pivoting away from requiring organizations to invest in audits and attain reimbursement at a later date. Overall, the updates make the CMMC more attainable across the market. 

Downstream impacts  

Clarity around how the CMMC would be implemented and applied for downstream contractors has also been provided. The initial role out of the CMMC left room for interpretation of whether all sub-prime contractors would need to maintain the same CMMC level indicated by the parent DoD contract. Since then, the authors have specified that the level of CMMC required would be based on the nature of data shared with sub-prime contractors rather than based on the scope of security outlined by the parent contract.   

“If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.” 

Learn how to start by referring to the new version of the CMMC Certification Model as updates are continually made. The site covers in detail the domains, processes, and practices, and explains the assessment process. 

How OneTrust can help   

The OneTrust platform leverages expertise in GRC with specialties in Vendor Risk Management, Policy Management, and Privacy, and many other categories to deliver an immersive cybersecurity management experience. We enable you to gain visibility into all aspects of your organization’s security structure, allowing you to holistically protect both your customers and your data.    

You may also like


Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 02, 2023

Learn more


Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more