Request a
Consultation
DFARS and CMMC hero image

History of the CMMC 2.0: 

The Interplay Among NIST, DFARS, CMMC

2015
NIST 800-171

2016
DFARS 7012

2020
CMMC 1.0

2021
CMMC 2.0

2015

NIST 800-171

In mid-2015, NIST issued Special Publication (SP) 800-171. This mandated the protection of Controlled Unclassified Information (CUI) when housed in non-federal organizations, such as with DoD contractors, also known as the Defense Industrial Base (DIB). It provided DoD Contractors, whether prime or subcontractors, with recommended requirements for protecting the confidentiality of CUI and the processing, storing, or transmitting of CUI.  

2016

DFARS – DoD Regulation

In 2016, DFARS 252.204-7012 was made official. DFARS 7012, as it is commonly referred to, is a DoD regulation that requires the protection and “adequate security” of CUI. The regulation is based on the guidance, best practices, and compliance framework of the NIST SP 800-171. Under DFARS 7012, DoD contractors were responsible for instituting their own cybersecurity safeguards, monitoring their compliance, and self-certifying. Because official audits were rare, compliance was inconsistent among DoD contractors. 

CMMC 1.0 BACKGROUND IMAGE

2020

CMMC 1.0 Framework

In February 2020, the DoD released Cybersecurity Maturity Model Certification (CMMC) 1.0, a framework to assess a contractor’s cybersecurity maturity and outline requirements related to the protection of CUI. The DoD worked with Carnegie Mellon University Software Engineering Institute and the Johns Hopkins Applied Physics Lab (APL) to construct the CMMC framework.

In September 2020, the DoD published the DFARS clause 252.204-7019, -7020, and -7021. Collectively, these clauses describe the rule making process and the mandated requirements for CMMC. These clauses explain the regulatory requirement for all DoD contractors wishing to hold contracts with the DoD.

2021

CMMC 2.0 Framework

In November 2021, the DoD released the updated framework for CMMC 2.0 that includes only three levels of maturity. Level 1 certification can be achieved by a self-assessment. Some, perhaps all, of Level 2 certifications must be completed by accredited third party assessment organizations (3PAOs). Level 3 certifications will be initiated and completed by the DoD or appointed agencies/organizations. 

2023

CMMC 2.0 Requirement

The expectation is that the CMMC requirement will be placed in DoD contracts, RFIs, and RFPs as early as spring 2023. 

Manufacturing DFARS Compliance footer background image

Get Started with Cerberus Sentinel

Time is of the essence with your CMMC 2.0. Partner with us to make sure you are ready.