After years of undergoing robust amendments, the Cybersecurity Maturity Model Certification (CMMC) previous version (CMMC 1.0) eventually birthed a new framework following the publishing of the CMMC Final Rule by the US Department of Defense (DoD) on October 15, 2024. The new CMMC rule imposes mandatory compliance with a series of cybersecurity protocols on all defense vendors, a significant modification from the program’s earlier iteration that emphasized compliance for prime contractors.  

All Defense Industrial Base (DIB) companies must move swiftly to obtain CMMC certification under their respective maturity levels. Early adopters can unlock a slew of commercial and regulatory perks, including being eligible for DoD’s lucrative contracts.  

On the flipside, there’s a heavy price to pay for noncompliant DIBs. These range from potential contract terminations to business-crippling fines.  

According to CMMC news, another significant change that came with CMMC 2.0 was the introduction of a phased implementation.  

This post uncovers CMMC’s evolution and what defense vendors should expect from each rollout phase.  

 

How Did We Get Here? Delving Into the Pre-CMMC Period

Post-9/11

Following the most heinous terrorist attack on United States soil, the government embarked on concerted efforts to reform its security response systems. Central to these endeavors was the Department of Defense.  

It’s important to remember that one of the hijacked planes, American Airlines Flight 77, crashed into the Pentagon, killing all 64 on-board passengers plus 125 people at the defense headquarters. This wasn’t merely a breach of DoD’s information systems. It was a major compromise on its physical infrastructure, too.  

Following the attacks, the government grew increasingly concerned about how critical information was shared within and outside federal systems. There was a dire need for more robust cybersecurity controls within the DIB.  

Now, the CMMC cybersecurity program may not have featured directly in initial efforts to reevaluate the DoD’s strategies. However, many of the framework’s controls can be dated back to post-9/11 cybersecurity reforms.  

Origin of FISMA and NIST

In 2003, the Federal Information Security Management Act (FISMA) was enacted. This development signaled the publishing of the National Institute of Standards and Technology (NIST) 800-171 program, which encouraged protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations against emerging cybersecurity threats.  

A significant difference between FISMA and NIST 800-171 is that the former emphasizes protecting federal information systems while the latter seeks to safeguard CUI in non-federal entities.  

NIST 800-171 is also considered the real precursor to the current DOD CMMC program. That’s because the framework was created to offer professional guidance to the Department of Defense’s original cybersecurity requirements – Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  

After years of development, version 1.0 of the NIST 800-171 was finally unveiled. The framework underwent several amendments that birthed version 1.1, which was published as a public draft in 2014 and later as the final program on April 16, 2018.  

Subsequent amendments birthed NIST 800-171 version 2.0, which was released in 2024 and is the framework’s most updated iteration.  

The Arrival of CMMC

NIST 800-171 played a critical role in minimizing cybersecurity incidents during the years following its release. A 2016 survey found that 70% of federal and nonfederal agencies regarded the NIST Cybersecurity Framework (CSF) as the most robust cybersecurity program.  

However, there were two major sticking points.  

First, the NIST CSF primarily targeted non-federal agencies. The implication is that the DIB supply chain was still considerably exposed to cyber-attacks.  

More concerning was the fact that NIST 800-171 compliance was optional. The DoD reckoned that leaving cybersecurity compliance to the discretion of its vendors posed serious threats to its critical infrastructures. In fact, a survey conducted by the federal agency uncovered that contractors willfully lied about their NIST 800-171 compliance status.  

To safeguard its infrastructure and supply chain, the DoD developed the CMMC cybersecurity program, which would specifically obligate compliance for all DIB contractors and subcontractors.  

Journey From CMMC 1.0 to CMMC 2.0

CMMC’s development was spearheaded by the Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD(A&S)). To create the program, the DoD tapped into existing contracts with various non-federal institutions, including the Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University, and the Futures, Inc.  

In 2019, the DoD announced the creation of CMMC’s initial framework – CMMC 1.0. The version was publicly released on January 31, 2020, and would be overseen by the CMMC Accreditation Body (CMMC AB or Cyber AB).  

Defense contractors would no longer self-attest their compliance with NIST SP 800-171 controls. Instead, the new framework defined (i) the specific cybersecurity protocols that DIB companies must satisfy and (ii) the different maturity levels required to achieve those standards.  

Transitioning Into CMMC 2.0

While the creation of CMMC 1.0 was a significant step towards safeguarding the defense supply chain, the program was far from perfect. After its release, comments from the public began to flow in fast and furious, with many recommending an upgrade to the framework.  

In early 2021, the DoD announced it was working on CMMC 2.0. The program’s updated version was unveiled in September 2021 for public feedback.  

After several months of reforming CMMC 2.0 based on received comments, the DoD eventually published the framework as a proposed rule on December 26, 2023. CMMC was subsequently published as a Final Rule in the Federal Register on October 15, 2024, and became operational on December 16, 2024.  

CMMC became the DoD’s official cybersecurity program after its publication in the Federal Register. Unlike NIST 800-171, which is optional, CMMC 2.0 compliance is mandatory for existing and aspiring defense contractors.  

Justifying CMMC 2.0

CMMC was created to thwart advanced cyber-attacks targeted at the defense supply chain. The past few years have witnessed aggressive breaches to the DoD’s critical infrastructures, including the SolarWinds Attack of 2020 and the Colonial Pipeline Attack of 2021.  

By obligating defense suppliers to implement a CMMC policy template, the DoD is able to avert or mitigate attacks to its supply chain more effectively.   

One of the critical changes in the recently unveiled CMMC 2.0 framework was the revision of maturity levels from five to three.  

DIB vendors seeking Level 1 compliance may self-assess, while those aspiring for CMMC Level 2 certifications would need to enlist the services of CMMC third-party assessor organizations (C3PAOs). Government-approved auditors strictly conduct level 3 assessments.  

Journeying Through CMMC’s Phased Rollout and Key Implementation Dates

The eventual operationalization of the CMMC 2.0 in December 2024 threw the DIB supply chain into a spin, as vendors began jostling for early CMMC 2.0 compliance. While complying with CMMC 2.0 controls ikey rollout dates must be considered mandatory and urgent, there are key rollout dates to bear in mind.  

Here’s a breakdown of CMMC 2.0’s implementation phases; 

Phase 1

Phase 1 constitutes the initial rollout stage and is expected to kick off as soon as the DFARS 252.204-7021 is finalized. This phase will begin in early-to-mid-2025 and run for six months, during which DoD suppliers will be required to adopt essential CMMC controls for self-assessment.  

Note that DoD contractors won’t be obligated to obtain CMMC certification during Phase 1. However, they’ll need to self-assess and affirm their CMMC Level 1 and 2 security controls when bidding for new DoD tenders. 

Phase 2

Also christened ‘the requirement expansion phase,’ this stage will seek to integrate Level 2 CMMC assessments into all DoD contracts that involve CUI. Phase 2 will commence one year after the rollout of Phase 1 and last around 6 – 16 months.  

All DIB companies that aspire to bid on tenders that require CMMC Level 2 certifications should obtain compliance by early 2026. 

Phase 3

During phase 3, also known as the scoping phase, the DoD will impel defense contractors to enforce advanced cybersecurity controls to safeguard the DIB network against more sophisticated threats.  

A critical requirement under Phase 3 will be the mandatory compliance with CMMC Level 2 certification controls as a condition for exercising option periods on relevant DoD tenders awarded after the CMMC 2.0’s operational date.  

Besides, vendors will need to schedule Level 3 assessments and obtain certification to be deemed duly compliant. Phase three will begin around early-to-mid 2027 and will run for 18 – 30 months.  

Phase 4

Phase 4 will commence in early-to-mid 2028 and signal the completion of CMMC 2.0’s rollout.  The phase will last for 30+ months, during which the DoD will require compliance across all CMMC Levels. Phase 4 will also see the DoD integrate CMMC controls into applicable CMMC tenders, regardless of when the contracts were awarded. 

The phased implementation of the CMMC framework came as excellent news for DIB companies still smarting from the aftershocks of CMMC 2.0’s rollout. By splitting compliance into multiple stages, defense vendors will have ample time to obtain the necessary certifications to transition to the new CMMC framework. 

Keeping Abreast of the CMMC Implementation Timeline

Although the Cybersecurity Maturity Model Certification will be rolled out incrementally until 2028, industry experts recommend pursuing early CMMC certification. Compliant businesses can gain a competitive edge, avoid noncompliance fines, and better understand their cybersecurity posture.  

According to CMMC news, defense industrial base companies seeking CMMC certification under Level 1 maturity can self-assess and affirm their continued compliance with the framework annually. For subsequent levels, certification is only awarded following rigorous cybersecurity audits conducted triennially by authorized third-party assessors.  

Working with a seasoned C3PAO can help accelerate your CMMC Level 2 compliance. Choose a Cyber AB-authorized auditor with a proven track record of working with businesses similar to yours.  

If you’re seeking Level 3 compliance, it’s prudent to comply with all Level 2 protocols and then apply for an assessor directly to the Department of Defense.