American Made Advocacy: The Shared Responsibility of Rebuilding Our Industrial Base
The Government Circuit: USMCA Review—A Crucial Opportunity to Fortify North American Electronics
The Double-edged Sword of CMMC 2.0
June 6, 2022 | Divyash Patel, MX2 TechnologyEstimated reading time: 2 minutes
For the past few years, those whose SMT provider organizations supply or contract with the U.S. Department of Defense (DoD) have been hearing about—or even gearing up for—implementation of the Cybersecurity Maturity Model Certification (CMMC) program. By this, I mean that you were gearing up for CMMC 1.0. Today, we have CMMC 2.0, and there are several changes in the new version that impact both the standards for compliance and how you certify that compliance—especially if you run a small business.
Small businesses are the backbone of the defense industrial base (DIB), just as they are for the entire economy. As both patriots and businesspeople, I’m sure most contractors serving the DoD support the goals of the CMMC program: ensuring the security of sensitive data up and down the supply chain. I’m also certain that the CMMC 1.0 rules, which went into effect in November 2020, caused more than a little stress and anxiety for smaller contractors. Why? Because CMMC 1.0 required contractors to undergo an examination by a Certified Third-Party Assessment Organization (C3PAO) to become certified.
When it became clear that the burden CMMC 1.0 placed on small contractors was significant enough to potentially force some out of the DIB, the DoD hit pause on the CMMC program. In fact, the official in charge of the CMMC’s implementation came out and said one of the main goals of revising the program was to decrease the cost burden on small businesses. As a result, the DoD scrapped CMMC 1.0 and announced CMMC 2.0 in November 2021. The full 2.0 framework is expected to be released sometime next year.
But don’t make the mistake of thinking the government will kick the CMMC can down the road once again when 2023 rolls around. I fully expect CMMC 2.0 to come online when the rules are final.
At a high level, the two major changes that will likely affect you are the new tiers of security and the shift to annual self-attestation of compliance.
The original CMMC defined five levels of security. CMMC 2.0 has three:
- Foundational
- Advanced
- Expert
For most of you, the newly collapsed levels won’t change the practical compliance requirements. This is good news. Most contracts will fall into Level 1, so any work you have done to this point to achieve Level 1 compliance under CMMC 1.0 has not been wasted. The new framework relies on the same 17 baseline security controls used in the prior version—more on those controls in a moment.
The key distinction between Level 1 and Level 2 under CMMC 2.0 has to do with the type of information you handle. Level 1 focuses on securing federal contract information (FCI), for which there are no national security concerns. The bar for Level 1 is not set very high— it is essentially developing and maintaining good baseline cybersecurity policies and procedures. In my view, this is something any company should do; it’s just a good business practice.
To read this entire article, which appeared in the June 2022 issue of SMT007 Magazine, click here.
Share on:
Testimonial
"Our marketing partnership with I-Connect007 is already delivering. Just a day after our press release went live, we received a direct inquiry about our updated products!"
Rachael Temple - AlltematedSuggested Items
Learning with Leo: The Cost of Training on Skills and Knowledge Development
01/06/2026 | Leo Lambert -- Column: Learning With LeoThe ability to manufacture electronic products requires specific skills and knowledge, which have traditionally been developed through on-the-job experience and training. These experiences and training programs are expensive to implement, yet they are necessary to meet customer demands and remain competitive in the marketplace. Today, manufacturers, including government contractors, rely on industrial specifications in the design, fabrication, and assembly of electronic products.
NTT Research Unveils New Lithium Niobate Waveguide for Programmable Photonics
12/09/2025 | BUSINESS WIRENTT Research, Inc., a division of NTT, announced that members of its Physics & Informatics (PHI) Lab, in collaboration with Cornell University and Stanford University, have demonstrated a photonic processor whose refractive index can be rewritten across a two-dimensional waveguide to exercise virtually arbitrary control over the propagation of light waves and perform machine-learning computations.
GÖPEL electronic Integrates Boundary Scan into Takaya Flying Prober
12/01/2025 | GÖPEL electronicFully automated multi-panel programming of test subjects for fast and flexible handling in the manufacturing process
The Heart of the Electronics Industry Beats in Guanajuato: Salomon Ceballos
11/26/2025 | Lorena Villanueva, Global Electronics Association MexicoTechnological revolutions aren’t only measured in gigabytes, robots, or PCBs. They're also measured in people. In Guanajuato, the most strategic resource being built is not machinery, but talent. At the center of this transformation is Salomón Ceballos, general director of the State Training Institute (IECA). What makes IECA unique isn’t just its facilities, it’s its approach. Unlike most training institutes under the Education Department, IECA is part of Guanajuato’s Ministry of Economy, and that changes everything.
Real Time with... productronica 2025: Pluritec Previews X-ray, Drilling and Wet Processing Automation
11/12/2025 | Real Time with...productronicaNolan Johnson catches up with Maurizio Bonati for a sneak peek at Pluritec's productronica program, and also an update on business in general. Listen to the conversation now and stay tuned for more exclusive coverage of productronica 2025 after the big event next week on realtimewith.com and featured in upcoming I-Connect007 Newsletters.