I fancy myself a reasonably intelligent person up until last November’s CMMC 2.0 update webinar.

I don’t think I had ever used the word “bifurcation” in a sentence. In fact, I don’t think I had ever even heard the word before. A quick Google search defines bifurcation as “the division of something into two branches or parts.” Well, now I know.

As you probably know, last November, the CMMC 2.0 model was introduced. There were several changes but most notably, it reduced the number of levels of the maturity model from 5 to 3. Level 1 was left largely untouched from a practice standpoint (there are still 17), but Level 2 of the new CMMC 2.0 model was the old Level 3 without what we call the “Delta 20.” So the new Level 2 now consists of the 110 practices found in NIST 800-171. But what took most of us by surprise was this idea of bifurcation.

The CMMC-AB used this word to describe a scenario by which there would be some organizations allowed to self-attest within CMMC 2.0 Level 2, while other organizations needing Level 2 would be required to have a third-party assessment. The difference between organizations allowed to self-attest and organizations needing a third-party assessment would be based on the type of CUI the organization possesses.

This raises many questions. What types of CUI would allow self-attestation? What types of CUI would require third-party assessments? How do we differentiate between the two? What would that mean for the organizations that were already taking steps toward certification? When would these CUI determinations be made? In theory, it sounded like it could work; but in practice, it really created more problems.

Yesterday, the Department of Defense (DoD) held a Town Hall and we were told that bifurcation was going away. No more bifurcation. Every organization needing to adhere to the 110 practices in CMMC 2.0 Level 2 would need a third-party assessment. In removing bifurcation for CMMC 2.0, the DoD reduced some confusion.

So what does this all mean? For starters, it means that we won’t be able to use the term “bifurcation” anymore. And let’s be real: using that word only made us sound really smart at parties. Secondly, it means all organizations handling or possessing CUI will need a third-party assessment. They won’t be able to self-attest.

My advice? If your organization is planning on winning DoD contracts that require handling or possessing CUI, you need a third-party assessment. Don’t wait to get your organization ready. The rule-making period was expected to take 9-24 months and the clock started late last year. Now if you don’t mind, I need to go bifurcate some donuts.

Our Cybersecurity team is involved in every facet of the CMMC Ecosystem; we are also a certified Registered Provider Organization (RPO), and candidate Certified Third Party Assessor Organization (C3PAO). Members of our Cybersecurity Team are Provisional Assessors (PA), Provisional Instructors (PI), and Registered Practitioners (RPs). Learn more about how we can help your organization reach compliance.


Matt Hoeper is an experienced cybersecurity professional with 25+ years of IT experience. Matt holds a Master’s degree in Management Information Systems as well as PMP and CISSP certifications. Prior to joining Edwards, he worked for Fortune 500 companies and small businesses in areas of engineering, financial, marketing, supply chain, manufacturing, and health care. Over his career, Matt has conducted security assessments against multiple standards.