The cybersecurity requirements for contractors working with the Department of Defense (DoD) / Department of War (DoW)have evolved significantly since the original version of the Cybersecurity Maturity Model Certification (CMMC). Over time, the program has been refined to balance industry feedback, operational practicality, and real-world risk.
Understanding how CMMC 1.0, 2.0, and the forthcoming 3.0 compare is critical. It helps organizations assess where they stand, what their obligations are, and how to prepare for the next stage of compliance. In this article, we examine significant differences across versions and their implications for organizations, especially those that leverage Microsoft 365 and Azure.
Fundamental Differences: Structure, Scope, and Philosophy
| Version | Certification Levels | Assessment Approach | Foundational Philosophy |
|---|---|---|---|
| CMMC 1.0 | 5 levels (Level 1–5). | Third-party assessment required for all levels. | Layered maturity: “basic” cyber hygiene, advanced practices, and process maturity. |
| CMMC 2.0 | 3 levels: Level 1 (Foundational), Level 2 (Advanced), Level 3 (Expert). | Self-assessment allowed for some Level 1 and Level 2 cases; third-party or government-led assessment for higher levels. | Simplified structure aligned with NIST standards, allowing flexibility through POA&Ms. |
| CMMC 3.0 (proposed) | Expected to maintain a 3-level structure; refine control standards and assessment detail. | Likely more automation, updated baseline standards, and potential for continuous compliance. | Streamlined model integrating updated NIST guidance with improved clarity and technical effectiveness. |
Why the changes matter:
- The shift from 1.0 to 2.0 reduced complexity and aligned the model with standards such as NIST SP 800-171, easing compliance for small- and mid-sized contractors.
- CMMC 3.0 builds on this by emphasizing automation, modernization, and continuous assurance rather than static certification cycles.
- For cloud-enabled contractors, these changes reduce implementation overhead and align directly with tools already available in Microsoft 365 and Azure.
What Changed Between 1.0 and 2.0
The move from CMMC 1.0 to 2.0 represented a significant shift toward simplification and practicality.
Key differences include:
- Reduction in levels: CMMC 1.0 featured five levels, while 2.0 consolidated them into three levels: Foundational, Advanced, and Expert—to eliminate redundancy and confusion.
- Removal of maturity processes: The 1.0 model included process-maturity assessments that evaluated the extent to which cybersecurity practices were institutionalized. 2.0 eliminated this requirement to focus purely on control implementation.
- Introduction of POA&Ms: Plans of Action and Milestones allow organizations to document deficiencies and remediate them within a set timeframe, replacing the rigid “pass/fail” system of 1.0.
- Alignment with existing frameworks: CMMC 2.0 anchors Level 2 directly to the 110 controls of NIST SP 800-171, ensuring consistency across federal cybersecurity programs.
- Flexible assessment: While 1.0 required third-party certification at all levels, 2.0 allows for self-assessments at Level 1 and certain Level 2 contracts, reserving third-party reviews for higher-risk environments.
Impact for contractors:
CMMC 2.0 made compliance more attainable, especially for smaller suppliers in the Defense Industrial Base (DIB). Organizations can now leverage existing security investments, prioritize higher-risk areas, and progressively mature their programs without duplicating effort.
What CMMC 3.0 Brings
CMMC 3.0, still under development, is expected to refine rather than replace the 2.0 model. It focuses on enhancing clarity, aligning with the latest NIST updates, and embracing automation for continuous compliance.
Expected enhancements include:
- Updated baseline: CMMC 3.0 will align with NIST SP 800-171 Revision 3 and NIST SP 800-172, introducing updated controls and clarifying parameters for sensitive data protection.
- Outcome-based controls: Fewer but broader requirements focused on measurable outcomes, improving technical precision while reducing duplication.
- Emphasis on automation: The new version is expected to leverage automated control validation, continuous monitoring, and real-time evidence collection to replace periodic manual audits.
- Greater clarity and standardization: Updated guidance will reduce ambiguity in interpretations and ensure consistency across contractors and assessors.
What this means for contractors:
CMMC 3.0 represents an evolution toward continuous assurance. Contractors that adopt automated compliance dashboards, centralized log retention, and continuous validation on platforms such as Microsoft Defender for Cloud or Compliance Manager will be well-positioned to meet upcoming requirements.
| Feature | CMMC 1.0 | CMMC 2.0 | CMMC 3.0 (Expected) |
|---|---|---|---|
| Levels | 5 | 3 | 3 |
| Maturity processes | Yes | Removed | Simplified further |
| POA&Ms allowed | No | Yes | Yes |
| Baseline standard | Mix of CMMC-unique, NIST, FAR/DFARS | NIST SP 800-171 / FAR baseline | NIST SP 800-171 Rev 3 and NIST SP 800-172 |
| Assessment flexibility | All third-party | Mixed: self, third-party, government-led | Expected hybrid with automation and self-reporting |
| Focus | Broad maturity and processes | Realistic, control-based compliance | Continuous, outcome-based assurance |
Implications for Microsoft 365 and Azure Environments
For organizations using Microsoft cloud services, the CMMC evolution aligns naturally with built-in capabilities.
More precise mapping
Many of the NIST SP 800-171 and 800-172 controls map directly to Microsoft 365 and Azure services, including access management, encryption, and incident response.
Automation-ready architecture
Tools like Defender for Cloud, Purview, Sentinel, and Compliance Manager already support continuous monitoring, policy enforcement, and evidence generation; key capabilities for CMMC 3.0.
Reduced administrative overhead
With POA&Ms now permissible, cloud-native compliance tracking minimizes manual documentation while maintaining traceability for assessments.
Future-proofing
Organizations investing in automation, zero-trust identity governance, and centralized monitoring will be prepared for both current and forthcoming CMMC requirements.
Conclusion
The CMMC framework’s evolution reflects the DoD’s/DoW’s shift toward more innovative, scalable, and transparent cybersecurity oversight.
- CMMC 1.0 introduced the vision of structured maturity but proved too rigid and resource-intensive.
- CMMC 2.0 refined that vision, simplifying levels, removing unnecessary maturity layers, and aligning with trusted federal standards.
- CMMC 3.0 continues the evolution, focusing on automation, continuous monitoring, and modernized controls to keep pace with emerging threats.
For defense contractors, this evolution signals progress not just in compliance but also in operational resilience. Organizations leveraging Microsoft 365 and Azure already have the core tools to meet and maintain compliance through configuration, automation, and governance.
CMMC is no longer just a certification framework; it is a living model of cyber maturity. Adapting to its evolution ensures not only contract eligibility but also enduring trust, operational security, and alignment with national defense objectives.
Note
As of December 2025, the Department of Defense (DoD)/Department of War (DoW) has not formally released or announced an official version labeled “CMMC 3.0.” The current, legally recognized framework remains CMMC 2.0, codified in the final rule published under Titles 48 and 32 CFR on November 10, 2025. This rulemaking establishes the Cybersecurity Maturity Model Certification program as a mandatory requirement for specific defense contracts and begins a phased implementation period extending through November 2028.
While the DoD/DoW continues to evaluate updates to align future revisions of CMMC with NIST SP 800-171 Revision 3 and SP 800-172, there is no official release date, draft, or publication for any “CMMC 3.0” standard. References to CMMC 3.0 in public discussions reflect anticipated future modernization efforts, such as enhanced automation, continuous compliance monitoring, and improved control clarity. Still, these have not yet been formally adopted or implemented.
Until further notice, CMMC 2.0 remains the authoritative version, and all contractors should prepare for compliance with the requirements defined in the November 2025 final rule and the corresponding DFARS clauses.