Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond

CMMC 2.0

Fewer Security Tiers

  • CMMC Levels 2 and 4 from the original framework are eliminated along with all maturity level processes.
  • Level 1 Foundational: Includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
  • Level 2 Advanced: Has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800–171. The DoD is working on a process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis. All other Organizations will only be required to perform an annual self-assessment and company affirmation every year.
  • Level 3 Expert: This level will replace what was formally known as CMMC Level 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800–172.

Removing Some Third-Party Assessment Requirements

“Plan of Action and Milestones” (POA&Ms) Reports



What’s Next?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


A-LIGN is a technology-enabled security and compliance partner: Know more at — https://www.a-lign.com/