The Cybersecurity Maturity Model Certification (CMMC) has become one of the most significant compliance requirements for companies operating within the Defense Industrial Base (DIB). Contractors across the supply chain are now being asked not only if they are compliant, but how quickly they can prove it. Understanding where CMMC came from and how it has evolved provides valuable context for organizations preparing to meet the latest requirements.
Early Foundations
The roots of CMMC stretch back to 2010, when Executive Order 13556 formally established the concept of Controlled Unclassified Information (CUI). The order defined what constitutes CUI and laid the groundwork for consistent handling requirements across government and industry.
By 2017, defense contractors were already expected to comply with NIST SP 800-171, a set of 110 security controls designed to protect CUI. Under this model, contractors could self-attest to their compliance, but it quickly became clear that self-attestation did not provide the level of assurance the Department of Defense (DoD) required.
The Birth of CMMC
In 2019, the DoD announced the Cybersecurity Maturity Model Certification as a way to strengthen accountability and verification. The idea was to move beyond self-attestation and introduce third-party assessments where necessary.
The first formal version, CMMC 1.0, arrived in November 2020 alongside an interim DFARS rule that added new clauses (252.204-7019 and 252.204-7020). These required contractors to post their NIST SP 800-171 self-assessment scores in the Supplier Performance Risk System (SPRS). CMMC 1.0 included five maturity levels ranging from Basic to Advanced Cyber Hygiene. While Level 1 was intended for contractors handling only Federal Contract Information (FCI), higher levels applied to organizations dealing with CUI.
Streamlining to CMMC 2.0
By November 2021, the DoD responded to industry feedback by introducing CMMC 2.0. The model reduced complexity by consolidating the five levels down to three:
- Level 1 (Foundational): Focused on protecting FCI with basic practices, allowing for annual self-assessment and affirmation.
- Level 2 (Advanced): Built directly on the 110 NIST SP 800-171 requirements. Depending on the solicitation, this level may require either a self-assessment or a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO).
- Level 3 (Expert): Intended for the most sensitive defense programs, this level requires controls beyond NIST 800-171 and audits performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Rulemaking and Finalization
The DoD began the formal rulemaking process in 2023 under Title 32 and Title 48 of the Code of Federal Regulations. After extensive reviews and public feedback, the final program rule for CMMC was published on October 15, 2024, and became effective on December 16, 2024. This rule formally codified the structure of CMMC 2.0.
A second rule followed on September 10, 2025, when the DoD published a final DFARS rule making CMMC a contractual requirement. That DFARS rule is scheduled to take effect on November 10, 2025. Beginning then, solicitations can include DFARS clauses such as 252.204-7021 and 252.204-7025, specifying the CMMC level required. Contractors that cannot meet the designated level at the time of award risk being deemed ineligible.
What Has Changed for Contractors
Under the most recent rules, CMMC requirements will be phased into contracts over a three-year period, with gradual expansion until full application across the DIB. The rule also introduces the option for Plans of Action and Milestones (POA&Ms) at Levels 2 and 3. Contractors can achieve conditional certification while closing gaps, but remediation must be completed within 180 days or the certification will lapse.
Service providers remain in scope of a contractor’s audit if they process, store, transmit, or can affect the security of CUI systems. While these providers may not be required to hold independent certification in every case, contractors are strongly advised to work with C3PAO-validated partners. If a provider lacks sufficient security controls, it can still impact the outcome of the contractor’s assessment.
Looking Ahead
CMMC has evolved from an idea in 2019 into a fully codified requirement now tied directly to DoD contracting. What began as a five-level model has been streamlined to three, but the intent remains the same: to enforce stronger protection of CUI and Federal Contract Information across the entire defense supply chain.
For contractors, the path forward is clear. Compliance is no longer optional, and preparation must begin well before contracts are awarded. Mapping CUI boundaries, documenting controls, engaging with accredited C3PAOs, and selecting trustworthy service providers are now baseline requirements for maintaining eligibility in the defense market.
CMMC’s history shows how quickly compliance expectations can shift. Its future will continue to shape the way the defense industrial base approaches cybersecurity, risk management, and trust with the Department of Defense.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and delivers innovative cybersecurity and technology solutions for government, defense, and commercial clients worldwide. Our mission is to transform complex security and compliance challenges into strategic advantages by safeguarding and optimizing digital infrastructure. One example is our “CISO-as-a-Service” offering, which enables organizations of any size to access executive-level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen operates a state-of-the-art 24x7x365 Security Operations Center (SOC) and provides a full suite of services including vulnerability assessments, penetration testing, software assurance, managed detection and response, and compliance advisory. For organizations preparing for CMMC, we currently provide CMMC pre-assessments to help contractors evaluate their readiness, map gaps against requirements, and build a remediation roadmap before undergoing a third-party audit. This proactive approach allows companies to address deficiencies early and approach certification with greater confidence.
Our organization holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC certifications, demonstrating the maturity of our own operations. We are also a Service-Disabled Veteran-Owned Small Business (SDVOSB) recognized by the U.S. Small Business Administration, and we’ve been named to the Inc. 5000 and Vet 100 lists of the fastest-growing private companies in the nation. Netizen has been recognized as a national “Best Workplace” by Inc. Magazine and is a multi-year recipient of the U.S. Department of Labor’s HIRE Vets Platinum Medallion for veteran hiring and retention.
If your organization is preparing for CMMC compliance, Netizen can help you start with a clear picture of your current state. Our pre-assessments provide the guidance needed to plan effectively, reduce risks of failed audits, and ensure long-term alignment with DoD cybersecurity requirements.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
