One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance.

Here, we’re covering the CIO’s guidance for organizations performing self-assessments, specifically how to scope their self-assessments for Level 1 maturity.