Bye Bye Bifurcation

I fancy myself a reasonably intelligent person up until last November’s CMMC 2.0 update webinar.

I don’t think I had ever used the word “bifurcation” in a sentence. In fact, I don’t think I had ever even heard the word before. A quick Google search defines bifurcation as “the division of something into two branches or parts.” Well, now I know.

As you probably know, last November, the CMMC 2.0 model was introduced. There were several changes but most notably, it reduced the number of levels of the maturity model from 5 to 3. Level 1 was left largely untouched from a practice standpoint (there are still 17), but Level 2 of the new CMMC 2.0 model was the old Level 3 without what we call the “Delta 20.” So the new Level 2 now consists of the 110 practices found in NIST 800-171. But what took most of us by surprise was this idea of bifurcation.

The CMMC-AB used this word to describe a scenario by which there would be some organizations allowed to self-attest within CMMC 2.0 Level 2, while other organizations needing Level 2 would be required to have a third-party assessment. The difference between organizations allowed to self-attest and organizations needing a third-party assessment would be based on the type of CUI the organization possesses.

This raises many questions. What types of CUI would allow self-attestation? What types of CUI would require third-party assessments? How do we differentiate between the two? What would that mean for the organizations that were already taking steps toward certification? When would these CUI determinations be made? In theory, it sounded like it could work; but in practice, it really created more problems.

Yesterday, the Department of Defense (DoD) held a Town Hall and we were told that bifurcation was going away. No more bifurcation. Every organization needing to adhere to the 110 practices in CMMC 2.0 Level 2 would need a third-party assessment. In removing bifurcation for CMMC 2.0, the DoD reduced some confusion.

So what does this all mean? For starters, it means that we won’t be able to use the term “bifurcation” anymore. And let’s be real: using that word only made us sound really smart at parties. Secondly, it means all organizations handling or possessing CUI will need a third-party assessment. They won’t be able to self-attest.

My advice? If your organization is planning on winning DoD contracts that require handling or possessing CUI, you need a third-party assessment. Don’t wait to get your organization ready. The rule-making period was expected to take 9-24 months and the clock started late last year. Now if you don’t mind, I need to go bifurcate some donuts.

Our Cybersecurity team is involved in every facet of the CMMC Ecosystem; we are also a certified Registered Provider Organization (RPO), and candidate Certified Third Party Assessor Organization (C3PAO). Members of our Cybersecurity Team are Provisional Assessors (PA), Provisional Instructors (PI), and Registered Practitioners (RPs). Learn more about how we can help your organization reach compliance.

back to the blog

Discover Edwards Performance Solutions

Tailored Expertise. Comprehensive Support.

At Edwards, we bring together Performance Management, Organizational Resilience, Training and Development, and Cybersecurity Compliance to help teams work smarter, adapt faster, and build lasting success.

If you are ready for a partner who understands both the big picture and the real challenges that come with meaningful work, let us know how we can support you.

Let's Chat
Call 443.561.1334

This website uses cookies to support site functionality and improve user experience. By selecting Accept, you consent to the use of cookies in accordance with our Terms & Conditions and Privacy Policy. © Edwards Performance Solutions 2026

Accept & Close
Accept Only Essential