Smithers CMMC and Cybersecurity Resource Library
Have questions? Look for answers in our CMMC and Cybersecurity Resource Library!
.jpg?ext=.jpg)
Key Takeaways:
- What is CMMC? What does CMMC stand for?
- How did CMMC come into existence?
- Who actually needs to be CMMC-compliant?
Smithers, an authorized C3PAO (CMMC Third-Party Assessor Organization), can answer all of your questions about CMMC certification, assessments, and more. With 100 years of business experience, more than 30 years an an ANAB-accredited certification body, and as an authorized C3PAO company, Smithers is a source you can trust.
How Did CMMC Become a Rule?
The Defense Federal Acquisition Regulation Supplement (DFARS) was first updated in 2016, which set the groundwork for CMMC. The update required all DoD contractors and their sub-contractors to self-assess against meeting the cybersecurity requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
The DFARS update in 2019 added the requirement for the Cybersecurity Maturity Model Certification supported by a tri-annual independent assessment. Department of War (DoW) contractors and their sub-contractors handling controlled unclassified information (CUI) were given five years to implement these changes.
The CMMC-Accreditation Body (CyberAB) was established as a joint venture between Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc., in 2019.
The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOW CIO office. CMMC-AB released the first draft of CMMC 1.0 in 2019 on the credentials required for independent assessors and how to conduct the assessments for DoW contractors.
The DoW paused CMMC 1.0 in 2021. It began the process of evaluating and updating the DFARS rules for the independent assessments with the release of CMMC 2.0. This covered several critical changes, including:
CMMC 2.0 was officially established when the 32CFR went into effect in December 2024 and now, with the publishing of 48CFR, the four phased implementation went into effect on that November 10, 2025.
Do I Need CMMC?
If you are not sure you needed to read this far, check out our post on who needs CMMC. It offers a guide so you can tell if you need to comply or not. If you have any questions let us know!
- ISO 27001
- Certified Companies Information
- What is CMMC
- What is NIST SP 800-171
- Integrated Management System Audit and Certification Services
- Smithers Quality Assessments Client Portal: Beyond Audit Management Software
- Tailored Account Services
- AS9100 Audit and Certification Services
- AS9110 Certification and Auditing Services
- AS9120 Certification and Auditing Services
- IATF 16949 Audit and Certification Services
- ISO 9001 Audit and Certification Services
- ISO 13485 Audit and Certification Services
- ISO 14001 Audit and Certification Services
- ISO 45001 Audit and Certification Services
- SN 9001 Audit and Certification Services
- Internal Audit Services
- Supplier Audit Services
- Certified Companies Information
- File a Complaint or Appeal
What Questions Do You Have?
CMMC can seem complicated, especially at the start of the compliance journey. What questions can we help you with? Smithers is one of the most well-respected C3PAOs in the CMMC ecosystem. Contact us today.
CMMC FAQs
What does CMMC Stand for?
CMMC stands for Cybersecurity Maturity Model Certification.
What is 32CFR and 48CFR?
32CFR and 48CFR are the two parts of the CMMC rule. Learn more about 32CFR.
What is SPRS? What is a SPRS score?
SPRS stands for Supplier Performance Risk System. It is where contractors have been entering their self-assessment scores against NIST SP 800-171 since 2018. Learn more about SPRS.