What services does Thorium LLC offer?

Thorium LLC offers comprehensive digital services including custom web development, e-commerce solutions, SEO and digital marketing, graphic design, brand identity, UI/UX design, cybersecurity consulting, and AI automation solutions for businesses in Washington DC and the DMV area.

Where is Thorium LLC located?

Thorium LLC is a digital agency based in Washington DC, serving clients throughout the DMV area including Maryland and Virginia. We also work with clients nationwide.

How can I contact Thorium LLC?

You can reach Thorium LLC by phone at +1-227-249-7257, by email at hello@thoriumdc.com, or through our contact form at https://thoriumdc.com/contact. Our team is available Monday through Friday, 9 AM to 6 PM EST.

What industries does Thorium LLC work with?

Thorium LLC works with businesses across various industries including technology, healthcare, finance, e-commerce, professional services, and government contractors in the Washington DC area.

Does Thorium LLC offer free consultations?

Yes, Thorium LLC offers free initial consultations to discuss your project requirements, goals, and how our digital services can help grow your business. Contact us to schedule a consultation.

Federal Compliance

CMMC 2.0 vs CMMC 1.0 — What Changed

DoD overhauled CMMC in 2021 and finalized CMMC 2.0 rules in late 2024. If you're a DC federal contractor handling CUI, here's exactly what changed and what you need to do now.

March 2026 10 min readBy Thorium LLC

Why CMMC Changed

CMMC 1.0 was released in January 2020 as DoD's attempt to verify that defense contractors were actually implementing the cybersecurity requirements already embedded in their contracts (NIST SP 800-171 via DFARS 252.204-7012). The problem: contractors were self-attesting compliance while audits revealed widespread gaps.

After significant criticism from industry — particularly around complexity, cost, and the inclusion of unique CMMC-specific practices that weren't in existing NIST standards — DoD launched a comprehensive review in 2021. The result was CMMC 2.0, announced in November 2021, with final rules published in October 2024 and enforcement beginning in 2025.

Key driver of the change

IG audits found that many contractors were self-attesting NIST SP 800-171 compliance while SPRS scores revealed average scores of -25 (out of 110) — meaning most had more than 100 unimplemented practices. CMMC 2.0 adds third-party verification for the most sensitive programs.

The Biggest Change: Levels Reduced from 5 to 3

CMMC 1.0 had five levels (1 through 5), with increasing security requirements at each level. CMMC 2.0 reduced this to three levels and eliminated the unique CMMC-specific practices that didn't exist in NIST standards.

Level	CMMC 1.0	CMMC 2.0
Level 1	Basic Cyber Hygiene (17 practices)	Foundational (17 FAR 52.204-21 practices) — Self-attestation
Level 2	Intermediate Cyber Hygiene (72 practices)	Advanced (110 NIST SP 800-171 practices) — Self-attestation OR C3PAO
Level 3	Good Cyber Hygiene (130 practices)	Expert (110+ NIST SP 800-172 practices) — DCSA-led government assessment
Level 4	Proactive (156 practices)	Eliminated — rolled into Level 3
Level 5	Advanced/Progressive (171 practices)	Eliminated — rolled into Level 3

CMMC 2.0 Level 1 — What Changed

Who it applies to: Contractors handling Federal Contract Information (FCI) but not CUI.

Practice count: Same as before — 17 practices from FAR 52.204-21 (basic safeguarding requirements).

Assessment: Annual self-attestation by a senior company official. No third-party assessment required. This is the same as CMMC 1.0 Level 1.

If you only handle FCI and not CUI, Level 1 is your target. The requirements are basic — multi-factor authentication, virus protection, access control, physical security — and most organizations already meet them.

CMMC 2.0 Level 2 — The Most Important Change

Who it applies to: Contractors handling Controlled Unclassified Information (CUI) — this is where most DC defense contractors land.

Practice count: 110 practices — all of NIST SP 800-171 Rev 2. CMMC 1.0 Level 2 had 72 practices; 2.0 increased this to the full NIST 800-171 set. However, CMMC 1.0's unique 20 practices (that existed only in CMMC, not NIST) were eliminated.

Assessment requirement — the critical split

CMMC 2.0 Level 2 has two tracks depending on the sensitivity of the program:

Track A — Self-Attestation

For contracts where DoD determines a C3PAO assessment isn't required. Annual self-attestation submitted to SPRS by a senior company official. Approximately 40–50% of Level 2 contracts.

Track B — C3PAO Third-Party Assessment

For contracts DoD designates as requiring independent verification. Assessment by a CMMC Third-Party Assessment Organization (C3PAO), triennial (every 3 years), with annual affirmations in between. Approximately 50–60% of Level 2 contracts involving prioritized acquisitions.

Your contracting officer will specify which track applies in the solicitation. If you're unsure, assume C3PAO — it's better to be over-prepared.

CMMC 2.0 Level 3 — Reserved for Highest-Risk Programs

Who it applies to: Contractors supporting DoD's most critical programs — advanced weapons systems, defense research, and programs with elevated risk of nation-state targeting.

Practice count: 110 NIST SP 800-171 practices plus additional enhanced requirements from NIST SP 800-172. The exact subset is defined by DoD based on program requirements.

Assessment: Led by DCSA (Defense Contract Security Agency) government assessors. Not a commercial C3PAO. Triennial assessment with annual affirmations.

Level 3 applies to a small minority of contractors. If you're subject to it, you'll know — it will be explicit in your contract and you'll be working directly with your program office.

Assessment & Documentation Changes

System Security Plan (SSP)

Required at all levels. The SSP documents how you implement each of the 110 NIST SP 800-171 practices. Auditors and C3PAOs will review this in detail. A weak SSP is the #1 reason assessments fail.

Plan of Action & Milestones (POA&M)

Required for any practice not yet fully implemented. CMMC 2.0 allows POA&Ms with milestones — you don't need 100% of practices implemented on day one, but high-value practices have strict timelines (180 days for most).

SPRS Score

Your NIST SP 800-171 self-assessment score must be submitted to the Supplier Performance Risk System (SPRS). Scores range from -203 to 110. The DoD uses SPRS scores as an early indicator of contractor security risk.

Affirmations

New in CMMC 2.0 — a senior company official must annually affirm that the company continues to meet the requirements. False affirmations can trigger False Claims Act liability.

Enforcement Timeline

Oct 2024CMMC 2.0 final rule (32 CFR Part 170) published

Dec 2024DFARS rule (48 CFR) published — CMMC requirements begin appearing in solicitations

2025Phase 1: Level 1 self-attestation and Level 2 self-attestation contracts begin

2026Phase 2: Level 2 C3PAO assessments required in prioritized acquisitions

2027Phase 3: Level 2 C3PAO requirements expand across more contract types

2028Phase 4: Full CMMC implementation across all DoD contracts

If your contracts reference DFARS 252.204-7021 (CMMC requirement), you are already subject to CMMC 2.0 requirements.

What DC Federal Contractors Should Do Now

Determine your CUI scope

Identify which systems handle CUI. This defines your assessment boundary and which CMMC level applies to you.

Conduct a NIST SP 800-171 self-assessment

Assess all 110 practices, calculate your SPRS score, and submit it to SPRS. This is required now regardless of which track you're on.

Develop or update your SSP

Your System Security Plan must accurately describe how each practice is implemented. Auditors will use this as the foundation of their assessment.

Build your POA&M

For any practices not yet implemented, create a POA&M with realistic milestones. High-value practices must be addressed within 180 days.

Prepare for C3PAO if required

If your contracts involve prioritized acquisitions, engage a C3PAO-qualified firm for a pre-assessment to identify gaps before the formal assessment.

Related Resources

NIST CSF 2.0 & SP 800-171 Assessment Services Cybersecurity Services — Washington, DC CMMC 2.0 Compliance Guide for DC Contractors