What is CMMC 2.0? Who needs to earn a CMMC certification, and what is that process like? Smithers can answer all of your questions about CMMC certification, assessments, and more. 

 

Cancel
Show Policy

How Did CMMC Become a Rule?

The Defense Federal Acquisition Regulation Supplement (DFARS) was first updated in 2016, which set the groundwork for CMMC. The update required all DoD contractors and their sub-contractors to self-assess against meeting the cybersecurity requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The DFARS update in 2019 added the requirement for the Cybersecurity Maturity Model Certification supported by a tri-annual independent assessment. Department of War (DoW) contractors and their sub-contractors handling controlled unclassified information (CUI) were given five years to implement these changes.

The CMMC-Accreditation Body (CyberAB) was established as a joint venture between Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc in 2019. The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOW CIO office. CMMC-AB released the first draft of CMMC 1.0 in 2019 on the credentials required for independent assessors and how to conduct the assessments for DoW contractors.

The DoW paused CMMC 1.0 in 2021. It began the process of evaluating and updating the DFARS rules for the independent assessments with the release of CMMC 2.0. This covered several critical changes, including the removal of the CMMC maturity processes, alignment to the NIST SP 800-171 security controls for the body of the assessment, and the reduction of CMMC levels from five to three. Lastly, the governing body was renamed Cyber-AB to reduce confusion between the CMMC requirements of the DoW and the Cyber-AB’s role as certifying organizations and auditors to conduct CMMC assessments.

CMMC 2.0 was officially established when the 32CFR went into effect in December 2024 and now, with the publishing of 48CFR, the four phased implementation goes into effect on that November 10, 2025. 

Do I Need CMMC?

If you are not sure you needed to read this far, check out our post on who needs CMMC. It offers a guide so you can tell if you need to comply or not. If you have any questions let us know!

Cancel
Show Policy

Follow us on LinkedIn

What Questions Do You Have?

CMMC can seem complicated, especially at the start of the compliance journey. What questions can we help you with? Contact us today.

CMMC FAQs

What does CMMC Stand for?

CMMC stands for Cybersecurity Maturity Model Certification.

What is 32CFR and 48CFR?

32CFR and 48CFR are the two parts of the CMMC rule. Learn more about 32CFR.

What is SPRS? What is a SPRS score?

SPRS stands for Supplier Performance Risk System. It is where contractors have been entering their self-assessment scores against NIST SP 800-171 since 2018. Learn more about SPRS.

Latest Resources

See all resources