History of the CMMC 2.0: 

2015
NIST 800-171

2016
DFARS 7012

2020
CMMC 1.0

2021
CMMC 2.0

2022
CMMC 2.0

2025
CMMC 2.0 Implemented

CMMC 2.0 Implementation Begins

The CMMC 2.0 program began phased implementation across DoD contracts following the completion of rulemaking. As CMMC clauses begin appearing in solicitations and contract awards, defense contractors must demonstrate compliance with the required CMMC level to remain eligible for DoD work.

CMMC 2.0 Program Finalized

The Department of Defense finalized rulemaking for the CMMC 2.0 program and announced a phased a rollout in four phases over the next three years. Beginning November 2025, CMMC assessment requirements started being incorporated into DoD contracts, with full implementation expected by 2028.

CMMC 2.0 Rulemaking Advances

In 2024, the Department of Defense advanced rulemaking to formally establish the CMMC 2.0 program. The updated regulations prepared the framework for integration into DoD contracts and laid the groundwork for phased implementation of certification requirements across the Defense Industrial Base.

CMMC 2.0 Requirement

The expectation is that the CMMC requirement will be placed in DoD contracts, RFIs, and RFPs as early as spring 2023. 

CMMC 2.0 Framework

In November 2021, the DoD released the updated framework for CMMC 2.0 that includes only three levels of maturity. Level 1 certification can be achieved by a self-assessment. Some, perhaps all, of Level 2 certifications must be completed by certified third-party assessment organizations (3PAOs). Level 3 certifications will be initiated and completed by the DoD or appointed agencies/organizations. 

CMMC 1.0 Framework

On January 31, 2020, the DoD released Cybersecurity Maturity Model Certification (CMMC) 1.0, a framework to assess a contractor’s cybersecurity maturity and outline requirements related to the protection of CUI. The DoD worked with Carnegie Mellon University Software Engineering Institute and the Johns Hopkins Applied Physics Lab (APL) to construct the CMMC framework.

In September 2020, the DoD published DFARS clauses 252.204-7019, -7020, and -7021. Collectively, these clauses describe the rule-making process and the mandated requirements for CMMC. They explain the regulatory requirement for all DIB organizations wanting to hold contracts with the DoD.

DFARS – DoD Regulation

In 2016, DFARS 252.204-7012 was made official. DRAFS 7012 is a DoD regulation based on NIST SP 800-171; it requires the protection and “adequate security” of CUI. Under DFARS 7012, DoD contractors were responsible for instituting their own cybersecurity safeguards, monitoring their compliance, and self-certifying. Because official audits were rare, compliance was inconsistent among DoD contractors.