The Cybersecurity Maturity Model Certification (CMMC) has been a hot topic in the federal contracting world since its inception in 2020. Initially, the model was designed to provide a standardized framework for evaluating the cybersecurity posture of contractors working with the Department of Defense (DOD). However, since its release, the model has been met with criticism and controversy, with many calling for its reform or even its outright repeal.
Fast forward to 2023, and the DOD has finally released its much-anticipated updates to the CMMC. But, as is often the case in Washington, change can be slow to come, and the updates may not be as seismic as some had hoped. In this article, we’ll take a closer look at the updates and what they mean for federal contractors.
The Problem with CMMC 1.0
The original CMMC was designed to be a more comprehensive and nuanced approach to evaluating a contractor’s cybersecurity posture. Rather than simply relying on a checklist of security best practices, the model was supposed to take into account a contractor’s maturity level, with five levels ranging from Basic to Level 5, Achieving.
However, the initial rollout of CMMC 1.0 was met with widespread criticism from the contracting community. Many contractors felt that the model was too broad, too complex, and too burdensome. Others argued that the model was not aligned with industry best practices and that it would be difficult to implement.
One of the main concerns with CMMC 1.0 was the requirement for contractors to implement a comprehensive cybersecurity program, which many felt was outside the scope of their contracts. Additionally, the model’s emphasis on process maturity over technical capabilities raised concerns among contractors who felt that they were being held to an unfair standard.
The Updates: What’s Changed?
So, what changes have been made to the CMMC in the latest updates? On the surface, it may seem like not much has changed. The core principles of the model remain the same, and the five levels of maturity still apply. However, there are a few key tweaks that are worth noting.
First, the DOD has clarified the role of the CMMC in the acquisition process. According to the updates, the CMMC will be used to inform decisions about a contractor’s eligibility to bid on high-value contracts. However, the model will not be used as a sole factor in determining a contractor’s eligibility.
Second, the DOD has introduced a new framework for evaluating a contractor’s cybersecurity posture. The framework, called the


