Request A Consultation
DFARS and CMMC hero image

History of the CMMC 2.0: 

The Interplay Among NIST, DFARS, CMMC

NIST 800-171

DFARS 7012

CMMC 1.0

CMMC 2.0


NIST 800-171

In mid-2015, NIST issued Special Publication (SP) 800-171. This mandated the protection of Controlled Unclassified Information (CUI) when housed in non-federal organizations, such as with DoD contractors, also known as the Defense Industrial Base (DIB). It provided DoD Contractors, whether prime or subcontractors, with recommended requirements for protecting the confidentiality of CUI and the processing, storing, or transmitting of CUI.  


DFARS – DoD Regulation

In 2016, DFARS 252.204-7012 was made official. DFARS 7012, as it is commonly referred to, is a DoD regulation that requires the protection and “adequate security” of CUI. The regulation is based on the guidance, best practices, and compliance framework of the NIST SP 800-171. Under DFARS 7012, DoD contractors were responsible for instituting their own cybersecurity safeguards, monitoring their compliance, and self-certifying. Because official audits were rare, compliance was inconsistent among DoD contractors. 



CMMC 1.0 Framework

In February 2020, the DoD released Cybersecurity Maturity Model Certification (CMMC) 1.0, a framework to assess a contractor’s cybersecurity maturity and outline requirements related to the protection of CUI. The DoD worked with Carnegie Mellon University Software Engineering Institute and the Johns Hopkins Applied Physics Lab (APL) to construct the CMMC framework.

In September 2020, the DoD published the DFARS clause 252.204-7019, -7020, and -7021. Collectively, these clauses describe the rule making process and the mandated requirements for CMMC. These clauses explain the regulatory requirement for all DoD contractors wishing to hold contracts with the DoD.


CMMC 2.0 Framework

In November 2021, the DoD released the updated framework for CMMC 2.0 that includes only three levels of maturity. Level 1 certification can be achieved by a self-assessment. Some, perhaps all, of Level 2 certifications must be completed by accredited third party assessment organizations (3PAOs). Level 3 certifications will be initiated and completed by the DoD or appointed agencies/organizations. 


CMMC 2.0 Requirement

The expectation is that the CMMC requirement will be placed in DoD contracts, RFIs, and RFPs as early as spring 2023. 

Speak With a CISO Global Security Specialist Today

Our experts maintain the most respected credentials in
the industry across cybersecurity, risk and compliance,
forensics, incident response, ethical hacking, security engineering, and more.

Cybersecurity expert managing CISO Global's security operations center