CMMC 1.0 was originally developed because the cybersecurity self assessment allowed under DFARS 252.204-7012 did not work out as planned, and was a failure. With CMMC 1.0, there were five different maturity levels of certification an organization could obtain, but only after an assessment conducted by an independent third party organization, thus eliminating self-assessments. CMMC 2.0 condenses the certification levels down to three and brings back self assessments, but this time around, it's intended to have more "teeth" with the DoD and DOJ heavily relying on the False Claims Act (FCA). The FCA will be used against government contractors who knowingly do not meet the required standards during the self assessment, but claim they do anyway.
This could be a great risk put onto the shoulders of an organization's executives. Executives are putting their trust in individuals within the organization to make sure controls are in place, and they're working efficiently and effectively. This approach contradicts the cybersecurity world's best practice of "Zero-Trust" and increases an organization's risk of an FCA violation. Every organization must try to mitigate risks of all types in order to keep functioning and operating. So even if your CMMC 2.0 requirements do not require a third-party attestation, executives should consider getting a third party review of their cyber and information security controls to ensure they are in line with their government contract requirements.
The threat of cybersecurity-based FCA action against DIB companies is not simply theoretical. As illustrated by Briggs v. Quantitech, and similar cases, "[t]here has been an uptick in cybersecurity-based FCA actions in recent years, predominantly qui tam actions filed by former employees that 'blew the whistle' on their company's deficient cybersecurity standards and practices."