CMMC (Cybersecurity Maturity Model Certification) has been years in the making. In this article, we explore the background behind the current version of CMMC and the various stages CMMC has gone through so far.
This context can allow you to better understand the purpose behind CMMC and what the DoD is seeking to achieve by introducing it as a requirement in contracts.
If you started your preparations for CMMC following the early announcements, it is also important that you understand how CMMC requirements have changed since that initial version was released.
Key Takeaways
- CMMC 2.0 more closely aligned CMMC requirements with the standards laid out in NIST SP 800-171.
- CMMC 2.0 has three levels to CMMC 1.0’s five.
- DoD contracts with DFARS 252.204-7012 have required adherence to NIST 800-171 since the clause was introduced in December 2017.
- NIST 800-171 itself is not static: revisions have been released over time, the latest being Revision 3, published in May 2024. CMMC 2.0 is based on Revision 2.
Why this matters: You need to ensure your organization has an up-to-date understanding of the current NIST 800-171A standards to ensure you are CMMC ready.
2010: Safeguarding Controlled Unclassified Information (CUI)
CMMC’s origins began as early as 2010 when President Obama issued an Executive Order in response to growth in the number of cyberattacks targeting the DIB.
- This order (13556) established a program for safeguarding information that is sensitive but not classified, coining the term “controlled unclassified information (CUI)” to describe the documents and communications it sought to protect.
2015: Introducing Cybersecurity Standards in NIST SP 800-171
The National Institute of Standards and Technology (NIST), the non-regulatory federal agency responsible for setting standards and establishing guidelines, issued a special publication in 2015 called NIST SP 800-171.
- The document lists the specific processes and controls that entities handling CUI need to have in place to protect it.
- New revisions have continued to be published on a semi-regular basis ever since.
Go deeper: More guidance on the definition of CUI can be found on the DoD CUI Program site and the CUI Registry, hosted by the National Archives.
2017: DFARS Clause Requires DoD Contractors to Adhere to NIST 800-171
In response to increases in the number of data breaches and cyber threats targeting the DIB, a clause (DFARS 252.204-7012) was added to DFARS in December 2017 mandating that DoD contractors and subcontractors implement the technical and procedural controls described in NIST 800-171A.
- The Federal Acquisition Regulation (FAR) codifies how the US military, NASA, and government agencies can establish contracts and procure goods and services.
- The Defense Federal Acquisition Regulation Supplement (DFARS) is a subset of these rules that applies to the DoD.
Why this matters: Following the inclusion of this clause, contractors are required to self-assess their NIST 800-171A compliance to be eligible to be awarded contracts. This requirement remains in effect today.
Go deeper: More information on relevant DFARS clauses can be found in What is DFARS: A Deeper Look at DoD Compliance.
2020: The DoD Introduces CMMC 1.0
CMMC 1.0 was published in January 2020. According to the DoD, this framework was designed to “provide increased assurance” that defense contractors can protect CUI in a way that is adequate for the level of risk that they face. This initial interim rule was then opened for public comment.
2021-24: CMMC 2.0 Is Announced Following the Public Comment Period
After receiving more than 850 comments from DIB stakeholders, the DoD initiated an internal review of CMMC 1.0 in March 2021. The result of this review process was the announcement in late 2021 that CMMC 2.0 would be issued as an update to the original rule.
CMMC 2.0 was finally released to the public as a Proposed Rule (32 CFR) on December 2023. The rule was then made available for a 60-day public comment period.
In late June 2024, 32 CFR Proposed Rule was submitted for final review, with the Final Rule expected to come into effect by EOY 2024. This introduces the CMMC Marketplace and allows third-party assessments to commence.
The proposed rule relating to CMMC in contracts, 48 CFR, is expected to come into effect by May 2025 and will have a three-year roll-out period.
The Key Differences Between CMMC 2.0 and CMMC 1.0
The revisions to the rule were undertaken to streamline and simplify compliance, as well as to more closely align CMMC requirements with the standards laid out in NIST 800-171 that DoD contractors were already expected to meet.
- The biggest difference between the two versions is that CMMC 2.0 has fewer maturity levels. Whereas CMMC 1.0 had five, 2.0 has only three.
- CMMC 2.0 also allows for self-assessment for contractors at Level 1, whereas Level 2 will see contractors go through third-party assessments to achieve certification.
Why this matters: The newer version of the rule is both more flexible and more clearly focused on the requirements that are most critical. Additionally, audit costs will be lower for most organizations under CMMC 2.0.
Go deeper: For more information on the three levels of CMMC 2.0, see Understanding the 3 Levels of CMMC 2.0.
Arrange a complementary consultation with an ISI expert to discuss your organization’s CMMC readiness plan.
