CMMC Timeline
2010: EO 13556
On November 4th, 2010 Executive Order 13556 — Controlled Unclassified Information announced the establishment of a program for managing information that requires safeguarding or dissemination controls. CUI effectively replaced For Official Use Only (FOUO), and Sensitive But Unclassified (SBU) markings. Many government organizations still use these markings, which is a story for another day.
2012: Controlled Unclassified Information (CUI)
In response to the Executive Order, on February 24th, 2012, the Department of Defense released DoD Manual 5200.01, Volume 4, “DoD Information Security Program: Controlled Unclassified Information.”, which was eventually superseded by DoD instruction 5200.48, “Controlled Unclassified Information (CUI)” on March 6th, 2020.
2023: CMMC 2.0, 32 CFR, and 48 CFR
Fast forward to December 26th, 2023, the DoD proposed a final rule to ultimately update Title 32 of the Code of Federal Regulations (CFR), meaning they introduced a draft regulation or policy change for public consideration and comment. The DoD submitted a draft of the CMMC 2.0 to the Office of Information and Regulatory Affairs (OIRA) on June 27th, 2024. The 32 CFR CMMC Final Rule is expected to be published in October of 2024, with a 60 day turnaround time to take effect.
Title 32 addresses National Defense programs, part 170 will be part of Chapter 1's "Defense Contracting" section.
2024: 48 CFR & DFARS 252.204-7021
In addition, on August 15th, 2024, the DoD proposed a final rule to update Title 48 of the CFR, which pertains to federal contract clauses and provisions. Specifically, this proposed rule updates the DFARS 252.204-7021 clause for Contractor Compliance with Cybersecurity Maturity Model Certification Level requirements.
“DoD is implementing a phased rollout of CMMC. Over a three-year period CMMC will be phased in based on the CMMC 2.0 program requirements identified at 32 CFR part 170. The clause at DFARS 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements, is prescribed for use in solicitations and contracts that require the contractor to have a specific CMMC level, including solicitations and contracts using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial products and commercial services, excluding acquisitions exclusively for commercially available off-the-shelf (COTS) items.”
DFARS 252.204-7021 needs to be updated alongside the final CMMC 2.0 rule because it currently mandates compliance with NIST SP 800-171 requirements, although there is no accountability outside of self attestation. CMMC 2.0 defines the assessment and certification process, including self-certification for level 1. This DFARS clause is included in subcontracts by a Prime, when included in the Prime’s contract.
2025: CMMC Assessments will finally be available
This all started before 2010, and it finally looks like we are on track for estimates that requirements go live around the beginning of 2025. Non-compliance may jeopardize contract awards after CFR 32 and 48 are updated along with DFARS 252.204-7021. While there is a lot of discussion and confusion about CMMC, this whole implementation is planned to take place over a three year phased roll out. Don’t give into the fear-mongering of consultants trying to make this thing an emergency, but also don’t “take your foot of the gas” and settle for non-compliance. Syndo is here to help your organization, please reach out with questions!
