CMMC continues to evolve. Here's what the 2.1 updates mean for security compliance across government contracts and the defense industrial base.
CMMC continues to evolve as the Department of Defense codifies how it will validate the cybersecurity posture of every contractor that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The 2.1 iteration brings refinements that affect every organization in the defense industrial base.
Key Updates
- Streamlined level structure aligned to the underlying NIST SP 800-171 and 800-172 control families.
- Clarified scoping guidance on what assets fall in the assessment boundary and how Specialized Assets are treated.
- POA&M eligibility rules confirming that only certain controls can be deferred at conditional certification, with a 180-day closure window.
- Refined assessment scoring methodology aligned with the existing DoD Assessment Methodology (110-point scale, weighted deductions).
- Plain-language documentation requirements pushing organizations to write SSPs that match observed practice.
What It Means for Contractors
The fundamentals are unchanged: if you handle CUI, you must implement the 110 NIST SP 800-171 controls and pass a third-party assessment. The 2.1 updates make the rules clearer but do not lower the bar. Contractors who have been waiting to start should start now — first-assessment lead times for authorized C3PAOs are stretching to six months or more.
Maverc is a Registered Provider Organization and supports clients across the defense industrial base from gap assessment through C3PAO readiness. Reach out if you need a partner.
