The Cybersecurity Maturity Model Certification program (CMMC) Program is designed to verify protection of sensitive unclassified information shared between or generated by the Department and its contractors and subcontractors.
The beginnings of CMMC start with the November 2010, Executive Order (E.O.) 135556. The intent of this Order was to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls.” As a result, the E.O. established the Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles information requiring safeguarding or dissemination controls.
In 2019, DoD announced the development of CMMC in order to move away from a “self-attestation” model of security. It was first conceived by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to secure the Defense Industrial Base (DIB) sector against evolving cybersecurity threats.
In September 2020, DoD published an interim rule, Defense Federal Acquisition Regulation Supplement (DFARS): Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041), which implemented the DoD’s initial vision for the CMMC Program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model of practices and processes, required assessments, and implementation through contracts) to protect Federal Contract Information (FCI) and CUI.
In November 2020, the interim rule (CMMC 1.0) became effective establishing a five-year phase-in period.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements with three key features:
• Tiered Model: cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information.
• Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
• Implementation through Contracts: CMMC level as a condition of contract award.
In December 2023, the CMMC 2.0 rule was published.
In February 2025, CMMC 2.0 assessments will start.
In October 2025, CMMC 2.0 in contracts will begin.
There are 3 levels of CMMC depending on the types of data you handle as a part of your DoD contracts.
For Level 2, which is the most common, it takes an average of 12-18 months to prepare for a CMMC assessment PLUS another 9-15 months wait time to get assessed.
Did you start your assessment in July 2023? If not you are falling behind
Jivoo has a NIST 800-171 Rev 3, and CMMC 2.0 readiness assessment solution leveraging our AI-powered Compliance CoPilot.
Getting Started
For more information on how Jivoo can help your organization prepare for a CMMC audit and maintain CMMC compliance over time, along with the changes in NIST 800-171 r2 to r3, download Our CMMC Report.