Back to Blog

CMMC History and Evolution: From Inception to Today

Pretorin Team
8 min read
CMMC History and Evolution: From Inception to Today - Featured image showing cybersecurity and compliance concepts

The Cybersecurity Maturity Model Certification (CMMC) represents the Department of Defense's most significant effort to secure the Defense Industrial Base. Understanding its history helps contractors prepare for what's ahead. This is the first article in our CMMC series.

The Problem: A Vulnerable Defense Industrial Base

Before CMMC, the Department of Defense relied primarily on contractor self-attestation for cybersecurity compliance. Defense contractors handling Controlled Unclassified Information (CUI) were expected to implement the 110 security requirements in NIST SP 800-171, but verification was minimal.

The results were predictable. High-profile breaches exposed sensitive defense information to adversaries, with estimates suggesting the U.S. was losing $600 billion annually to cyber theft and intellectual property exfiltration. Nation-state actors, particularly from China, Russia, and other adversaries, systematically targeted the defense supply chain.

2019: CMMC is Born

In May 2019, Katie Arrington, then Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, unveiled the concept of CMMC at the Georgetown Cybersecurity Law Institute. The announcement marked a fundamental shift from self-attestation to third-party verification.

"We cannot afford not to do this," Arrington said at a July 2019 event. "We're losing $600 billion a year to our adversaries in exfiltrations, data rights, R&D loss."

Throughout the summer of 2019, the DoD conducted a "CMMC Listening Tour" with five outreach events to gather industry feedback. Hundreds of industry representatives contributed to developing what would become CMMC 1.0.

January 2020: CMMC 1.0 Released

CMMC 1.0 was officially released in January 2020 with an ambitious five-level maturity model:

  • Level 1: Basic Cyber Hygiene (17 practices)
  • Level 2: Intermediate Cyber Hygiene (72 practices)
  • Level 3: Good Cyber Hygiene (130 practices)
  • Level 4: Proactive (156 practices)
  • Level 5: Advanced/Progressive (171 practices)

The framework required third-party assessments for all levels and included unique CMMC practices beyond NIST 800-171. While thorough, industry feedback highlighted concerns about cost, complexity, and the burden on small businesses.

2021: The Pause and Reset

In early 2021, incoming Deputy Secretary of Defense Kathleen Hicks directed a full review of the CMMC program. The DoD acknowledged that CMMC 1.0, while well-intentioned, created excessive burden particularly for small and medium businesses that make up much of the defense supply chain.

On November 4, 2021, the DoD announced CMMC 2.0, a streamlined version designed to:

  • Reduce costs and administrative burden
  • Increase trust in the assessment ecosystem
  • Better align with existing federal standards (NIST 800-171)
  • Allow self-assessment options where appropriate

CMMC 2.0: The Three-Level Model

The most significant change in CMMC 2.0 was consolidating five levels into three. Levels 2 and 4 from version 1.0 were eliminated. The DoD explained these were "transition levels never intended to be assessed requirements."

Level 1: Foundational

  • Purpose: Protect Federal Contract Information (FCI)
  • Requirements: 17 practices derived from FAR 52.204-21
  • Assessment: Annual self-assessment
  • Target: All contractors handling FCI

Level 2: Advanced

  • Purpose: Protect Controlled Unclassified Information (CUI)
  • Requirements: 110 practices aligned with NIST SP 800-171 Rev 2
  • Assessment: Self-assessment or third-party (C3PAO) depending on contract
  • Target: Contractors handling CUI

Level 3: Expert

  • Purpose: Protect against Advanced Persistent Threats (APTs)
  • Requirements: 110+ practices (NIST 800-171 plus 24 from NIST 800-172)
  • Assessment: Government-led assessment
  • Target: Highest-priority defense programs

December 2024: The Final Rule

After years of development and rulemaking, the CMMC Final Rule (32 CFR) was published in the Federal Register on October 15, 2024. The rule went into effect on December 16, 2024, officially establishing CMMC as a DoD program. Official documentation including the Model Overview and Assessment Guides are available at the DoD CIO CMMC Resources page.

Key dates from the final rule:

  • December 16, 2024: Final Rule effective; CMMC program officially established
  • January 2, 2025: C3PAO assessments may begin
  • Mid-2025: DFARS rule (48 CFR) expected to add CMMC to contract requirements
  • 2025-2028: Phased implementation across DoD contracts

The Four-Phase Implementation

The DoD designed a phased rollout to give contractors time to prepare:

Phase 1 (Year 1)

DoD includes requirements for CMMC Level 1 (Self) or Level 2 (Self) in applicable solicitations. Contracting officers have discretion to require Level 2 (C3PAO) for specific contracts.

Phase 2 (Year 2)

Broader inclusion of Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO) requirements as conditions of award.

Phase 3 (Year 3)

CMMC Level 2 certifications required for contract option periods. Level 3 requirements introduced for applicable programs.

Phase 4 (Full Implementation)

Complete CMMC requirements across all applicable DoD contracts, expected through 2028.

Looking Ahead: NIST 800-171 Rev 3

While CMMC Level 2 is currently aligned with NIST SP 800-171 Revision 2, NIST has released Revision 3 which includes updates and three additional domains:

  • Supply Chain Risk Management
  • Planning
  • System and Services Acquisition

Future CMMC updates will likely incorporate Rev 3 requirements. Contractors preparing for CMMC should be aware of these coming changes, though current compliance focuses on Rev 2.

Key Takeaways

  • CMMC originated in 2019 to address widespread cybersecurity failures in the defense supply chain
  • Version 2.0 reduced from five levels to three, lowering burden while maintaining security
  • The Final Rule went into effect December 16, 2024
  • Implementation will be phased through 2028
  • Most contractors will need Level 1 (FCI) or Level 2 (CUI) certification

Next in the Series

Now that you understand CMMC's history and structure, the next article dives deep into CMMC Level 1, covering all 17 foundational practices with practical implementation guidance.

Ready to accelerate your CMMC compliance journey? Get early access to Pretorin and let AI help you navigate the path to certification.

Related Articles

CMMC Level 2: Incident Response & Security Training - Related article thumbnail

CMMC Level 2: Incident Response & Security Training

12 min read

CMMC Level 2: System Protection & Integrity - Related article thumbnail

CMMC Level 2: System Protection & Integrity

15 min read

CMMC Level 2: Physical, Personnel & Media Protection - Related article thumbnail

CMMC Level 2: Physical, Personnel & Media Protection

13 min read

Ready to Accelerate Your Compliance Journey?

Discover how Pretorin's AI-powered platform can help you achieve FedRAMP, NIST, and CMMC compliance faster.

Get Early Access