The History and Timeline of CMMC: What Small Businesses Need to Know

Written By Emily Gibson

The Cybersecurity Maturity Model Certification (CMMC) has undergone significant transformation since its inception. What began as a response to growing cybersecurity risks in the defense industrial base (DIB) has evolved into a formal requirement that all Department of Defense (DoD) contractors must now prepare for. This post walks through the complete history and timeline of CMMC — from its earliest roots in NIST 800-171 to the latest developments in 2025.

2015: NIST 800-171 is Born

The foundation for CMMC began with NIST Special Publication 800-171, published in June 2015. It established 110 security controls for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Though adoption was required under DFARS 252.204-7012, compliance was self-attested, with no external verification required. Many contractors failed to meet the controls in practice.

Early 2019: DoD Announces CMMC

The DoD began working on a verification framework to replace self-attestation. In March 2019, Under Secretary for Acquisition and Sustainment Ellen Lord announced the development of CMMC to improve cybersecurity across the DIB.

January 2020: CMMC 1.0 Officially Released

  • CMMC 1.0 was launched in January 2020.

  • It introduced five maturity levels — ranging from basic cyber hygiene (Level 1) to advanced/progressive (Level 5).

  • Level 1 was based on 17 practices derived from FAR 52.204-21, while Level 3 aligned with NIST 800-171.

  • Contractors would need a CMMC certification from a third-party assessor before receiving or renewing contracts.

The original plan was to phase in CMMC over 5 years, starting in Fall 2020.

2020–2021: Pilot Delays and Industry Pushback

Despite initial momentum, only a handful of pilot contracts with CMMC requirements were released. By mid-2021, industry feedback began mounting:

  • Cost concerns for small businesses.

  • Confusion about the five-level model.

  • A lack of clarity around maturity processes.

The DoD paused implementation and launched an internal review.

November 4, 2021: CMMC 2.0 Announced

The result of the DoD's review was CMMC 2.0, which aimed to simplify and refocus the program.

Key changes:

  • Reduced to three levels:

    • Level 1 – 17 practices from FAR 52.204-21 (self-assessed).

    • Level 2 – 110 practices aligned with NIST 800-171 (self-assessed or third-party).

    • Level 3 – Based on NIST 800-172 (for high-priority programs).

  • Maturity processes eliminated.

  • Annual self-attestation allowed for most Level 1 and some Level 2 contractors.

  • Introduction of affirmation from a senior company official — adding legal accountability to self-attestation.

Late 2021 – 2023: Waiting for Rulemaking

From late 2021 through mid-2023, CMMC 2.0 could not be enforced until incorporated into the Code of Federal Regulations (CFR).

  • May 2023: CMMC rulemaking package submitted to the Office of Information and Regulatory Affairs (OIRA).

  • July 24, 2023: DoD announced that the rule had been accepted for review.

  • December 26, 2023: The proposed rule was published in the Federal Register.

  • Public comment period: December 2023 – February 26, 2024.

2024–2025: Final Rule and Full Enforcement Approaching

  • Mid 2024: The DoD begins reviewing public comments.

  • Late 2024 – Early 2025: Expected publication of Final Rule in the Federal Register.

  • Following Final Rule: A 60-day waiting period is expected before enforcement begins.

What happens next:

  • Phase-in period (3 years) begins upon publication of the final rule.

  • Contracts will start requiring CMMC certification or self-attestation based on level and information type.

  • CMMC Level 1 self-attestation will become a precondition to bid on most DoD contracts involving FCI.

2025: Where Things Stand Now

  • CMMC Level 1 is enforceable through self-attestation and is already being added to some solicitations.

  • Level 2 contractors may be eligible for self-assessment or may require a C3PAO assessment, depending on the contract.

  • Contractors must:

    • Implement all required practices (e.g., 17 for Level 1).

    • Upload their score to the Supplier Performance Risk System (SPRS).

    • Maintain documentation and policies to prove compliance.

Failure to comply could result in:

  • Loss of contract eligibility.

  • Inability to bid.

  • Risk of False Claims Act violations.

What Small Businesses Can Do Now

Many small contractors still believe they are exempt or that implementation will take years — this is no longer the case. If you handle Federal Contract Information (FCI), you must meet CMMC Level 1 requirements.

Emily Gibson
Previous

What is FCI and why does it trigger CMMC Level 1 compliance?