CMMC Program Review

Cybersecurity is a primary concern for the Department of Defense.

The Defense Industrial Base (DIB) faces increasingly frequent and sophisticated cyberattacks. To safeguard American innovation and national security data, the DoD created the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, emphasizing the critical role of DIB cybersecurity in protecting information essential to our military personnel.

CMMC Program Review

The Cybersecurity Maturity Model Certification (CMMC) program aligns with the Department of Defense’s (DoD) information security standards for Defense Industrial Base (DIB) partners. It aims to ensure the safeguarding of sensitive unclassified information shared by the DoD with its contractors and subcontractors. This program enhances the Department’s confidence that these contractors and subcontractors comply with the cybersecurity requirements for acquisition programs and systems handling controlled unclassified information.

The CMMC 2.0 program includes three main aspects:

  1. Tiered Model: Companies handling national security information must implement cybersecurity standards at increasingly advanced levels based on the information’s type and sensitivity. The program also outlines how subcontractors must protect information.
  2. Assessment Requirement: CMMC assessments enable the Department to verify that clear cybersecurity standards are being implemented.
  3. Implementation through Contracts: When fully implemented, certain DoD contractors dealing with sensitive unclassified DoD information will need to achieve a specific CMMC level to qualify for contract awards.

The Transition to CMMC 2.0

In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

  • Safeguard sensitive information to enable and protect the warfighter
  • Enforce DIB cybersecurity standards to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Perpetuate a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, the Department is introducing several key changes that build on and refine the original program requirements.