Request A Consultation
History of CMMC

History of the CMMC 2.0: 

2015
NIST 800-171


2016
DFARS 7012


2020
CMMC 1.0


2021
CMMC 2.0


2015

NIST 800-171

In mid-2015, NIST issued Special Publication (SP) 800-171. This mandated the protection of Controlled Unclassified Information (CUI) when housed in non-federal organizations, such as with DoD contractors, also known as the Defense Industrial Base (DIB). It provided DoD Contractors, whether prime or subcontractors, with recommended requirements for protecting the confidentiality of CUI and the processing, storing, or transmitting of CUI.  

2016

DFARS – DoD Regulation

In 2016, DFARS 252.204-7012 was made official. DFARS 7012, as it is commonly referred to, is a DoD regulation that requires the protection and “adequate security” of CUI. The regulation is based on the guidance, best practices, and compliance framework of the NIST SP 800-171. Under DFARS 7012, DoD contractors were responsible for instituting their own cybersecurity safeguards, monitoring their compliance, and self-certifying. Because official audits were rare, compliance was inconsistent among DoD contractors. 

CMMC 1.0 BACKGROUND IMAGE

2020

CMMC 1.0 Framework

In February 2020, the DoD released Cybersecurity Maturity Model Certification (CMMC) 1.0, a framework to assess a contractor’s cybersecurity maturity and outline requirements related to the protection of CUI. The DoD worked with Carnegie Mellon University Software Engineering Institute and the Johns Hopkins Applied Physics Lab (APL) to construct the CMMC framework.

In September 2020, the DoD published the DFARS clause 252.204-7019, -7020, and -7021. Collectively, these clauses describe the rule making process and the mandated requirements for CMMC. These clauses explain the regulatory requirement for all DoD contractors wishing to hold contracts with the DoD.

2021

CMMC 2.0 Framework

In November 2021, the DoD released the updated framework for CMMC 2.0 that includes only three levels of maturity. Level 1 certification can be achieved by a self-assessment. Some, perhaps all, of Level 2 certifications must be completed by accredited third party assessment organizations (3PAOs). Level 3 certifications will be initiated and completed by the DoD or appointed agencies/organizations. 

2023

CMMC 2.0 Requirement

The expectation is that the CMMC requirement will be placed in DoD contracts, RFIs, and RFPs as early as spring 2023. 

Speak With a CISO Global Security Specialist Today

Our experts maintain the most respected credentials in the industry across cybersecurity, risk and compliance, forensics, incident response, ethical hacking, security engineering, and more.