CMMC 2.0 represents a significant overhaul of the Department of Defense’s (DoD) cybersecurity framework for defense contractors. 

After receiving feedback from the defense industry, Congress, and other stakeholders, the DoD moved away from its original CMMC framework (known as CMMC 1.0) toward a more streamlined model (known as CMMC 2.0).

Introduced in November 2021, CMMC 2.0 introduced key changes to the original framework to meet three key objectives: 

• reducing costs, particularly for small businesses
• increasing trust in the CMMC assessment ecosystem
• clarifying and aligning cybersecurity requirements to existing federal requirements and commonly accepted standards

To ensure continued alignment with federal regulations input from industry stakeholders, CMMC 2.0 underwent a rigorous rulemaking process. Understanding this process is essential for defense contractors and subcontractors preparing for compliance. Let’s break down the process below. Think about all the important data that defense contractors handle – plans, communications, project details. The Department of Defense (DoD) wants to make sure that this information is well-protected from cyber threats.

The DoD is rolling out the Cybersecurity Maturity Model Certification (CMMC) program to ensure that companies working with them have sufficient cybersecurity measures in place to protect sensitive information.

But when exactly is this program in effect? Let’s go over the timeline below.

Key stages in the CMMC 2.0 rulemaking process: How the 32 CFR CMMC Program Rule was finalized

The CMMC 2.0 rulemaking process followed a structured approach to ensure clarity, transparency, and industry engagement. However, because of the length of the rulemaking process, it may not seem so clear. Below we’ll break down the process into the most important milestones so you can better understand how the program has evolved over time. 

Please note that this section will cover the rulemaking process for the 32 Code of Federal Regulations (CFR) CMMC Program rule, which officially established the CMMC 2.0 program. There is a separate rulemaking process for the 48 CFR CMMC Acquisition rule, which will implement CMMC policies in DoD contracts. This process is still ongoing and will be covered in the next section.

December 2023: Release of the CMMC 2.0 Proposed Final Rule (32 CFR rule)

On December 26, 2023, the DoD published the 32 CFR CMMC Program Rule, the much-anticipated proposed rule change for the CMMC program. Dubbed CMMC 2.0, the proposed rule change revised certain aspects of the program to address public concerns in response to DoD's initial vision for the CMMC 1.0 program published back in 2020.

Most notably, CMMC 2.0 streamlined and simplified the process for small and medium-sized businesses by reducing the number of assessment levels from five to three. These levels aligned cybersecurity requirements to the sensitivity of unclassified information to be protected. It also added a self-assessment requirement to affirm implementation of applicable cybersecurity requirements and a certification requirements to verify implementation of cybersecurity requirements. These elements were added to ensure accountability while minimizing barriers to compliance with DoD requirements.

February 2024: End of public comment period for the CMMC 2.0 Proposed Final Rule

The rule change was open for comment for 60 days. During this period, industry stakeholders submitted feedback on the proposed rule. Nearly 800 comments were received before the public comment period closed on February 26, 2024 at 11:59 p.m. These comments informed the Final Rule. 

October 2024: Release of the CMMC 2.0 Final Rule

The DoD reviewed comments and made adjustments to improve the feasibility and effectiveness of the final 32 CFR rule. Because of the number of comments, this took most of 2024. They published this final rule, also known as the updated 32 CFR rule, in the Federal Register on Tuesday, October 16 for a 60-day congressional review period.

December 2024: Effective date of the CMMC 2.0 Final Rule

CMMC 2.0 completed its 60-day congressional review period without any changes on December 16, 2024. At this point, rulemaking was complete and the CMMC 2.0 program went into effect. 

While assessments were available at this time, CMMC requirements were not included in DoD contracts yet. Let’s look at why below.

The rulemaking process for the 48 CFR CMMC Acquisition Rule

While the 32 CFR rulemaking process is complete and CMMC 2.0 is in effect, it is not being mandated in DoD contracts yet. Why? Because there is a separate rulemaking process for the 48 CFR CMMC Acquisition rule that is still ongoing. This rule must be final to update contractual requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the program.

We’ll break down this process into the most important milestones so you can better understand when the DoD will include CMMC requirements in solicitations and contracts.

September 2020: Release of the 48 CFR CMMC Acquisition interim final rule

On September 9, 2020, DoD published the 48 CFR CMMC interim final rule, Defense Federal Acquisition Regulation Supplement (DFARS): Assessing Contractor Implementation of Cybersecurity Requirements. This implemented the DoD’s vision for the initial CMMC Program and outlined the basic features of the framework, including the five-tiered model, required assessments, and implementation through contracts, to protect FCI and CUI. 

This interim rule was open for public comment for 60 days. During this period, they received approximately 750 comments. These comments highlighted a variety of industry concerns related to:

• the costs for a C3PAO certification
• the costs and burden associated with implementing, prior to award, the required process maturity and 20 additional cybersecurity practices that were included in the CMMC 1.0 Program
• interpretations of the CMMC framework implementation requirements and control objectives
• the impact the rule would have on small businesses in the DIB

November 2020: Effective date of 48 CFR interim final rule

The 48 CFR CMMC interim final rule became effective on 30 November 2020. Designed to increase compliance with its cybersecurity regulations and improve security throughout the defense industrial base (DIB), this rule introduced one new provision and two new clauses:

• DFARS provision 252.204-7019: Requires contractors to conduct a NIST SP 800-171 self-assessment and submit scores via the Supplier Performance Risk System (SPRS) for contract eligibility.
• DFARS clause 252.204-7020: Ensures subcontractors have SPRS scores on file before contract award.
• DFARS clause 252.204-7021, also known as 48 CFR 252.204-7021: Mandates contractors achieve and maintain the required CMMC certification level and flow down requirements to subcontractors.

This rule kicked off the five-year phase-in period. 

March 2021: Start of DoD’s internal review of CMMC’s implementation

Because they received so much feedback on the 48 CFR CMMC interim final rule, the DoD decided to pause the planned CMMC rollout and initiate an internal review of CMMC’s implementation in March 2021. This review involved cybersecurity and acquisition leaders within DoD to refine policy and program implementation based on input from the industry and the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) received relating to the initial CMMC Program.

August 2024: Release of proposed rule change to 48 CFR 

On August 15, 2024, The Department of Defense (DoD) published for public comment the DoD’s proposed amendments to the 48 Code of Federal Regulation (CFR) rule. These amendments were focused on incorporating contractual requirements related to the CMMC 2.0 program requirements proposed in 32 CFR part 170. 

The most notable changes included:

• Requiring contractors to prove CMMC compliance at the level included in a given solicitation and contracting officers to verify the results in the SPRS.
• Requiring contractors to obtain certifications or perform self-assessments under the CMMC program before contract award by adding a new provision, DFARS 252.204-7YYY.
• Requiring contractors to maintain compliance at the specified CMMC level throughout contract performance and notify contracting officers if lapses or changes in CMMC certification levels occur.
• Removing the Non-Federal Organization (NFO) control requirements

October 2024: End of public comment period

The public comment period closed on October 15, 2024 at 11:59 p.m. At this point, the DoD had to review this feedback and make any final changes to the rule before submitting it to the Office of Information and Regulatory Affairs (OIRA) for regulatory review. The rule was expected to go before Congress in mid-October, but this did not happen. 

Q2 2025: Expected effective date of 48 CFR rule

The rule was expected to go before Congress in mid-October 2024 so that it could be finalized before the end of December 2024. This needed to happen because 2024 was an election year and a new Congress was going to be instituted in early January 2025, and the congressional disapproval period can’t cross from one Congress to the next. Since the rule did not go before Congress before the new Congress was instituted, the rulemaking process was delayed. The 48 CFR rule is now expected to become final sometime in Q2 2025.

When finalized, this rule will allow the DoD to require a specific CMMC level in a solicitation or contract. At that time, contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of the contract award.

Impact of the rulemaking process on defense contractors

The rulemaking process influences how and when defense contractors must comply with CMMC 2.0. 

Key considerations include:

• Current program requirements – With the 32 CFR CMMC Program rule finalized, organizations should align cybersecurity practices with CMMC 2.0 levels and the 110 requirements from NIST 800-171 Revision 2.
• Potential modifications: Public comments and DoD revisions may lead to changes in the 48 CFR CMMC Acquisition rule, which will dictate contract language. This means it’s crucial for defense contractors to monitor updates and prepare for eventual compliance mandates.
• Compliance timeline subject to change: While organizations should monitor 48 CFR rulemaking updates to anticipate when CMMC 2.0 requirements will become mandatory in DoD contracts, they should also proactively enhance their cybersecurity posture in anticipation of CMMC requirements becoming enforceable in DoD contracts. The sooner they get ready, the better.